search

LafColITS / Moodle-auth_casattras

A CAS (SSO) authentication module for Moodle that uses releaseed attributes rather than LDAP for user-information.
10 stars 13 forks source link

Restrict authorization based on attribute #8

Open mackensen opened 7 years ago

mackensen commented 7 years ago

We're migrating from Shibboleth to CAS and thinking of using this module. One capability which we would need is the ability to restrict authorization based on attribute; probably based on eduPersonEntitlement. We're happy to develop this ourselves and contribute it back, but we aren't sure if the code should live in the auth module or somewhere else. Have you solved this problem at Middlebury?

adamfranco commented 7 years ago

Hi @mackensen, we haven't tried restricting Moodle authorization based on attributes in the CAS response. As described in our wiki, we do return attributes that other applications use for authorization controls, but in Moodle we would just let everyone in and provision enrollments via the WSPP web service module. I'd imagine that the Moodle authentication flow has a point at which one could plug in and make enrollment/authorization checks, but I haven't looked.

Cheers, Adam

jogemu commented 4 years ago

Hi, I guess this isn't active anymore, however a restriction can be achieved by allowing access to courses based cohorts. Plugins like Auto-cohort can assign cohords based on profile fields, which should be compatible with auth_casattras. This would work better if auth_casattras had support for writing CAS response fields into custom profile fields instead of abusing Moodles profile fields which might be user visible.

Another attempt would be to include cohort enrolment into the functionality of auth_casattras. That would allow to switch between only adding cohords or also removing them if the field changes. When courses are based on cohorts removing a user from the cohort means to permanently delete all their uploads, test results and progress. This won't be desired especially if you are trying to switch the authentication method. I tried the implementation myself and it should be easy by using the functions cohort_add_member with the user id and the id of cohort_get_cohorts or cohort_add_cohort within the auth function pre_user_login_hook() for a comma seperated field provided by CAS. However, I suspect a Moodle Bug because pre_user_login_hook() is not called if the user is new to Moodle. I opened the issue MDL-69408 but no one answered for nearly a month now.

jogemu commented 4 years ago

@mackensen, @adamfranco I am sorry to ask again but I would like to know your thoughts about my last comment or who is the maintainer of this project?