function edituser_institution_submit(Pieform $form, $values) { $user = new User(); if (!$user->find_by_id($values['id'])) { return false; } $userinstitutions = $user->get('institutions'); global $USER, $SESSION; foreach ($userinstitutions as $i) { if ($USER->can_edit_institution($i->institution)) { if (isset($values[$i->institution . '_submit'])) { $newuser = (object) array('usr' => $user->id, 'institution' => $i->institution, 'ctime' => db_format_timestamp($i->ctime), 'studentid' => $values[$i->institution . '_studentid'], 'staff' => (int) ($values[$i->institution . '_staff'] == 'on'), 'admin' => (int) ($values[$i->institution . '_admin'] == 'on')); if ($values[$i->institution . '_expiry']) { $newuser->expiry = db_format_timestamp($values[$i->institution . '_expiry']); } db_begin(); delete_records('usr_institution', 'usr', $user->id, 'institution', $i->institution); insert_record('usr_institution', $newuser); if ($newuser->admin) { activity_add_admin_defaults(array($user->id)); } handle_event('updateuser', $user->id); db_commit(); $SESSION->add_ok_msg(get_string('userinstitutionupdated', 'admin', $i->displayname)); break; } else { if (isset($values[$i->institution . '_remove'])) { if ($user->id == $USER->id) { $USER->leave_institution($i->institution); } else { $user->leave_institution($i->institution); } $SESSION->add_ok_msg(get_string('userinstitutionremoved', 'admin', $i->displayname)); // Institutional admins can no longer access this page // if they remove the user from the institution, so // send them back to user search. if (!$USER->get('admin')) { if (!$USER->is_institutional_admin()) { redirect(get_config('wwwroot')); } redirect('/admin/users/search.php'); } break; } } } } if (isset($values['add']) && $USER->get('admin') && (empty($userinstitutions) || get_config('usersallowedmultipleinstitutions'))) { if ($user->id == $USER->id) { $USER->join_institution($values['addinstitution']); $USER->commit(); $userinstitutions = $USER->get('institutions'); } else { $user->join_institution($values['addinstitution']); $userinstitutions = $user->get('institutions'); } $SESSION->add_ok_msg(get_string('userinstitutionjoined', 'admin', $userinstitutions[$values['addinstitution']]->displayname)); } redirect('/admin/users/edit.php?id=' . $user->id); }
/** * Grab a delegate object for auth stuff */ public function request_user_authorise($attributes) { global $USER, $SESSION; $this->must_be_ready(); if (empty($attributes) or !array_key_exists($this->config['user_attribute'], $attributes) or !array_key_exists($this->config['institutionattribute'], $attributes)) { throw new AccessDeniedException(); } $remoteuser = $attributes[$this->config['user_attribute']][0]; $firstname = isset($attributes[$this->config['firstnamefield']][0]) ? $attributes[$this->config['firstnamefield']][0] : null; $lastname = isset($attributes[$this->config['surnamefield']][0]) ? $attributes[$this->config['surnamefield']][0] : null; $email = isset($attributes[$this->config['emailfield']][0]) ? $attributes[$this->config['emailfield']][0] : null; $institutionname = $this->institution; $create = false; $update = false; // Retrieve a $user object. If that fails, create a blank one. try { $isremote = $this->config['remoteuser'] ? true : false; $user = new User(); if (get_config('usersuniquebyusername')) { // When turned on, this setting means that it doesn't matter // which other application the user SSOs from, they will be // given the same account in Mahara. // // This setting is one that has security implications unless // only turned on by people who know what they're doing. In // particular, every system linked to Mahara should be making // sure that same username == same person. This happens for // example if two Moodles are using the same LDAP server for // authentication. // // If this setting is on, it must NOT be possible to self // register on the site for ANY institution - otherwise users // could simply pick usernames of people's accounts they wished // to steal. if ($institutions = get_column('institution', 'name', 'registerallowed', '1')) { log_warn("usersuniquebyusername is turned on but registration is allowed for an institution. " . "No institution can have registration allowed for it, for security reasons.\n" . "The following institutions have registration enabled:\n " . join("\n ", $institutions)); throw new AccessDeniedException(); } if (!get_config('usersallowedmultipleinstitutions')) { log_warn("usersuniquebyusername is turned on but usersallowedmultipleinstitutions is off. " . "This makes no sense, as users will then change institution every time they log in from " . "somewhere else. Please turn this setting on in Site Options"); throw new AccessDeniedException(); } } else { if (!$isremote) { log_warn("usersuniquebyusername is turned off but remoteuser has not been set on for this institution: {$institutionname}. " . "This is a security risk as users from different institutions with different IdPs can hijack " . "each others accounts. Fix this in the institution level auth/saml settings."); throw new AccessDeniedException(); } } if ($isremote) { $user->find_by_instanceid_username($this->instanceid, $remoteuser, $isremote); } else { $user->find_by_username($remoteuser); } if ($user->get('suspendedcusr')) { die_info(get_string('accountsuspended', 'mahara', strftime(get_string('strftimedaydate'), $user->get('suspendedctime')), $user->get('suspendedreason'))); } if ('1' == $this->config['updateuserinfoonlogin']) { $update = true; } } catch (AuthUnknownUserException $e) { if (!empty($this->config['weautocreateusers'])) { $institution = new Institution($this->institution); if ($institution->isFull()) { $institution->send_admin_institution_is_full_message(); throw new XmlrpcClientException('SSO attempt from ' . $institution->displayname . ' failed - institution is full'); } $user = new User(); $create = true; } else { log_debug("User authorisation request from SAML failed - " . "remote user '{$remoteuser}' is unknown to us and auto creation of users is turned off"); return false; } } /*******************************************/ if ($create) { $user->passwordchange = 1; $user->active = 1; $user->deleted = 0; $user->expiry = null; $user->expirymailsent = 0; $user->lastlogin = time(); $user->firstname = $firstname; $user->lastname = $lastname; $user->email = $email; // must have these values if (empty($firstname) || empty($lastname) || empty($email)) { throw new AccessDeniedException(get_string('errormissinguserattributes1', 'auth.saml', get_config('sitename'))); } $user->authinstance = empty($this->config['parent']) ? $this->instanceid : $this->parent; db_begin(); $user->username = get_new_username($remoteuser, 40); $user->id = create_user($user, array(), $institutionname, $this, $remoteuser); /* * We need to convert the object to a stdclass with its own * custom method because it uses overloaders in its implementation * and its properties wouldn't be visible to a simple cast operation * like (array)$user */ $userobj = $user->to_stdclass(); $userarray = (array) $userobj; db_commit(); // Now we have fired the create event, we need to re-get the data // for this user $user = new User(); $user->find_by_id($userobj->id); if (get_config('usersuniquebyusername')) { // Add them to the institution they have SSOed in by $user->join_institution($institutionname); } } elseif ($update) { if (!empty($firstname)) { set_profile_field($user->id, 'firstname', $firstname); $user->firstname = $firstname; } if (!empty($lastname)) { set_profile_field($user->id, 'lastname', $lastname); $user->lastname = $lastname; } if (!empty($email)) { set_profile_field($user->id, 'email', $email); $user->email = $email; } $user->lastlastlogin = $user->lastlogin; $user->lastlogin = time(); } $user->commit(); /*******************************************/ // We know who our user is now. Bring em back to life. $result = $USER->reanimate($user->id, $this->instanceid); log_debug("remote user '{$remoteuser}' is now reanimated as '{$USER->username}' "); $SESSION->set('authinstance', $this->instanceid); return true; }