/** * Sets a WordPress user's role based on their AAD group memberships * * @param WP_User $user * @param string $aad_user_id The AAD object id of the user * @param string $aad_tenant_id The AAD directory tenant ID * @return WP_User|WP_Error Return the WP_User with updated rols, or WP_Error if failed. */ function updateUserRoles($user, $aad_user_id, $aad_tenant_id) { // Pass the settings to GraphHelper AADSSO_GraphHelper::$settings = $this->settings; AADSSO_GraphHelper::$tenant_id = $aad_tenant_id; // Of the AAD groups defined in the settings, get only those where the user is a member $group_ids = array_keys($this->settings->aad_group_to_wp_role_map); $group_memberships = AADSSO_GraphHelper::userCheckMemberGroups($aad_user_id, $group_ids); // Determine which WordPress role the AAD group corresponds to. // TODO: Check for error in the group membership response $role_to_set = $this->settings->default_wp_role; if (!empty($group_memberships->value)) { foreach ($this->settings->aad_group_to_wp_role_map as $aad_group => $wp_role) { if (in_array($aad_group, $group_memberships->value)) { $role_to_set = $wp_role; break; } } } if (NULL != $role_to_set || "" != $role_to_set) { // Set the role on the WordPress user $user->set_role($role_to_set); } else { return new WP_Error('user_not_member_of_required_group', sprintf('ERROR: AAD user %s is not a member of any group granting a role.', $aad_user_id)); } return $user; }