Limit logins using CAS Attributes

  • Resolved dtod

    (@dtod)


    9 years ago

    How do you restrict logins using CAS attributes? I think I see in the Developer notes that you can add a filter for authorizer_automatically_approve_login, but is that the same thing? Is there a way in the UI to do this, or does it have to be in code? If so, (and I know this is a novice question) where is the best place to do that?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Paul Ryan

    (@figureone)

    9 years ago

    Currently there’s no way in the UI to do this, though I hope to add that feature at some point. Via code, the easiest place to add the hooks is in your theme’s functions.php file. There are currently two hooks you could use:

    authorizer_automatically_approve_login will let you inspect CAS attributes and determine if someone can get an account created automatically (they will bypass the Pending list). This is more useful if your site is configured to allow “Only approved users” and is effectively a whitelist of users.

    authorizer_allow_login will let you inspect CAS attributes and determine if someone should be blocked from logging in (they will be added to the Blocked list). This is more useful if your site is configured to allow “All authenticated users” and is effectively a blacklist of users.

    The code samples below are also in the readme, but they’re currently rendered improperly due to an open bug with the WordPress forums. Hopefully that will be resolved soon!
    https://meta.trac.ww.wp.xz.cn/ticket/2655

    Here’s an example of authorizer_automatically_approve_login:

    /**
 * Filter whether to automatically approve the currently logging in user
 * based on any of their user attributes.
 *
 * @param bool  $automatically_approve_login
 *   Whether to automatically approve the currently logging in user.
 * @param array $user_data User data returned from external service.
 */
function approve_all_faculty_logins( $automatically_approve_login, $user_data ) {
  // Automatically approve logins for all faculty members.
  if (
    isset( $user_data['cas_attributes']['eduPersonAffiliation'] ) &&
    'faculty' === $user_data['cas_attributes']['eduPersonAffiliation']
  ) {
    $automatically_approve_login = true;
  }
  return $automatically_approve_login;
}
add_filter( 'authorizer_automatically_approve_login', 'approve_all_faculty_logins', 10, 2 );

    And here’s an example of authorizer_allow_login:

    /**
 * Filter whether to block the currently logging in user based on any of their
 * user attributes.
 *
 * @param bool  $allow_login Whether to block the currently logging in user.
 * @param array $user_data   User data returned from external service.
 */
function check_cas_attributes( $allow_login, $user_data ) {
  // Block access to CAS logins from library guests.
  if (
    isset( $user_data['cas_attributes']['eduPersonPrimaryAffiliation'] ) &&
    'library-walk-in' === $user_data['cas_attributes']['eduPersonPrimaryAffiliation']
  ) {
    $allow_login = false;
  }
  return $allow_login;
}
add_filter( 'authorizer_allow_login', 'check_cas_attributes', 10, 2 );
    • This reply was modified 9 years ago by Paul Ryan.
    Thread Starter dtod

    (@dtod)

    9 years ago

    That is extremely helpful. Thank you very, very much!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Limit logins using CAS Attributes’ is closed to new replies.

  • 2 replies
  • 2 participants
  • Last reply from: dtod
  • Last activity: 9 years ago
  • Status: resolved