search

uhm-coe / authorizer

Authorizer is a WordPress plugin that uses Google, CAS, LDAP, or an OAuth2 provider for logins, and can prevent public access to a WordPress site. It also blocks repeated failed login attempts.
GNU General Public License v3.0
65 stars 38 forks source link

Map role from CAS attributes #127

Closed mickahell closed 1 year ago

mickahell commented 1 year ago

Summary

In the CAS authentification, we choose a default role for every user. Could it be possible to select role from cas attributes ? I mean a filter saying if the cas attributes roles of the user match national:admin give him the the role administrator, if it say local:editor give him the role editor and if we don't say anything just give him the default role.

I see this #75 MR but I don't know if it's still relevant, as it's look like quite old.

Thanks a lot :)

figureone commented 1 year ago

The plugin does support this behavior, but right now you need to hook into the authorizer_custom_role filter in order to do it (#75 is meant to create a UI for the behavior so you don't have to write code to support it, but like you noticed we haven't found the time to create it :)

We do have some documentation about using the filter hook but it's specific to our institution. You might still find it helpful though, especially step 4: https://github.com/uhm-coe/authorizer/wiki/Integrating-WordPress-Roles-with-UH-Groupings#step-4-add-your-integration-code-to-your-wordpress-theme

For your case it sounds something like this:

add_filter( 'authorizer_custom_role', function ( $default_role, $user_data ) {
    if ( ! empty( $user_data['cas_attributes']['roles'] ) ) {
        if ( 'national:admin' === $user_data['cas_attributes']['roles'] ) {
            $default_role = 'administrator';
        } elseif ( 'local:editor' === $user_data['cas_attributes']['roles'] ) {
            $default_role = 'editor';
        }
    }

    return $default_role;
}, 10, 2 );
mickahell commented 1 year ago

Perfect, I juste tested and it works very fine. Thanks :D

Do you know how could I configure the whole plugin directly from code ?

figureone commented 1 year ago

We have a way to provide certain secrets (Oauth2 client secret, Google client secret, LDAP credentials) via filter hooks or constants defined in wp-config.php, but currently not any other settings.

You can see more details in the help text ("Help" tab in the upper right when viewing the Authorizer Settings page, "External Service" tab).

That's for setting the plugin options, not sure if you're thinking of something else. There are a number of other filters in the code where you can override/customize other behavior...if you search for apply_filter or do_action you can see where they are, there should be at least some comments describing what they do :)

mickahell commented 1 year ago

Ok thanks, I'll check on that