role mapping on multi-site

[tthorp]

I am supporting a legacy site that was using a combination of plugins to provide shib-auth and role mappings. One of the nice features of our setup is that each site in the network has a screen which allows you to map roles for that site. So, if I were in a site, I would navigate to Dashboard>Users>Shibboleth

The downside is that the plugins are orphaned by their developers and I'm having trouble finding a replacement that works with PHP 7.

I was hoping to ask if I am properly understanding this plugin. Does it offer per-site role mapping? It doesn't seem to. Are there any plugins that will add that feature to this plugin?

screenshot of site-based role mappings: https://snag.gy/ELlnTq.jpg

[jrchamp]

This plugin currently uses get_site_option() which is akin to calling get_network_option() and will thus save only one set of options per network. A case could be made that use of get_site_option() should only occur when the plugin is network activated. You may want to try switching all of the relevant get_site_option() calls to get_option() calls and then activate the plugin at the site level.

EDIT: You will also need to modify the relevant add_site_option() and update_site_option() calls.

If you give it a try, please let us know how it goes! If it works, we'll want to look at making this plugin aware of whether it was activated at the network or site level.

Note to self - consider extend shibboleth_getoption() with something like:

static $network_active;
if ( $network_active === null ) {
    $plugin_file = plugin_basename( __FILE__ );
    $network_active = is_plugin_active_for_network( $plugin_file );
}

if ( $network_active ) {
    $option = get_site_option( $option );
} else {
    $option = get_option( $option );
}

Also would need to create wrappers for add_site_option() and update_site_option() calls if we go this route.

[tthorp]

I see. Thank you for clarifying. I'd like to continue the conversation by describing my use-case and legacy solution a little more as it is really valuable to us.

Our network has around 900 sites. We are using authentication with shibboleth plugin 1.6 and Shibboleth Role Mapping Extension by Erick Hitter, version 1.0 (which is no longer available)

The combination of the two allows us to strictly use shib-auth, thereby preventing local account issues and we can add groups to sites, which is really useful when, for instance we want an academic class to have all students as authors and all TAs as editors.

[jrchamp]

Okay, so you're saying that Shibboleth is network activated, but you want to be able to specify additional role mappings per-site? Would you get multiple roles or just the first one? (a conversation about managed role started recently #55)

Reminder for implementer: If we go this route, we'll need to look at how this affects multisite and loading pages for sites after we've already logged in to make sure roles don't stay out of sync.

[tthorp]

That is correct, Shibboleth is network activated. Thank you for inferring that! I apologize, but I am not sure I understand the question about multiple roles. I will start my response by saying that our Shibboleth Header Values are actually groups. If a user is added to a group via Grouper, it will result in that user being specified as a group member in the LDAP directory. Our Shibboleth is configured to release group membership details from a user's LDAP entry.

Perhaps your question is about a person who has membership in two groups, one with a role of Subscriber and one with a role of Administrator. In that instance, we would grant the most privileged role to the user.

[jrchamp]

Correct, I was asking about the expected way that the plugin would handle when the user would map to two or more roles based on being a member of multiple groups. The question is simpler if we only consider the default, unmodified roles in WordPress. However, roles can be more about separating permissions than describing a strictly vertical hierarchy, so in several cases we've implemented additive roles as a good way to leverage both a separation of concerns and the principle of least privilege. Thus, because we've already implemented support for user generated roles, it seems to make sense to assign a user all of the roles that they qualify for and not attempt to limit to the "first matching" or "most priviliged".

In short: Would it still meet your needs if it mapped individuals to all of the roles for which they qualify?

[tthorp]

Thank you for clarifying. Yes, that would make sense.

[tthorp]

Perhaps role mapping should be provided by a separate plugin, as it is in our legacy setup. That would allow your plugin to continue working with its current use-case and it would allow this additional functionality for those who need it.

[jrchamp]

A separate plugin can already do this, but only if they want to set one role because of the use of set_role(). Otherwise, if they are only setting one role, they could just hook shibboleth_user_role.

What we should probably do (in addition to the multi-role support) is look to separating the built-in logic within shibboleth_get_user_role() so that it behaves as a sub-plugin. This would allow other plugins to run before or after as needed.

[dcsoliday]

Hi all, Glad I just found this, and wondering if there's been any update. We are looking to do the same thing: set the default user role per site on a multisite instance. However, the settings for the plugin are at the network level, even while activating it per site. I seem to recall this being a change in a past update. While we're fine having the default role of Subscriber on the vast majority of our sites, we're now working on a new case where we'd want the default role to be Author. We basically need to allow all our campus account holders to login and have a bit more access than a subscriber, but only on one of our sites. David

[tthorp]

I second your enthusiasm but have not heard from the dev team that they have decided to incorporate this use case in their plugin.

[michaelryanmcneill]

I'm open to someone creating a PR for this use case, but I don't have the resources to implement it at this time.

[dcsoliday]

Wow! I have student workers who help with WP support and development. Could we create a pull request to add this functionality? That might be a great project for them to learn more on.