Blog Documentation Book a Demo
Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Pass a set of roles from ProxyConnect SSO to vanilla

carlokokcarlokok New
edited April 2011 in Vanilla 2.0 - 2.8
Is it possible to pass a set of roles that should be applied to a given account during the SSO login? for example something like:

Roles=Member;Administrator;private-beta-cooper

where it would remove the roles that aren't in the list and add the ones that are? The authentication url can return this info.
Tagged:

Comments

  • judgejjudgej
    I've been trying to work out how to do this for a long time, and have not been able to find a hook that works consistently. Instead I push the role links to Vanilla from the CMS using a cron job. It is not ideal, but it works.

    The authentication page lists name/value pairs of data, and there are no restrictions on the additional data that you can add to this page. So in theory the roles can be passed across, but capturing them in any kind of custom code hooked into ProxyConnect is the the difficulty. I find that by the time the point is reached where the user is created, the additional data passed in through the authentication page is long gone.
  • carlokokcarlokok New
    edited April 2011
    what I did now is pass the Role in the authenticate. Then in

    "class.proxyauthenticator.php" 

    public function Authenticate() {


             $UserEmail = ArrayValue('Email', $Response);
    +        $Roles = ArrayValue('Roles', $Response);
            $UserName = ArrayValue('Name', $Response);
             $UserName = trim(preg_replace('/[^a-z0-9- ]+/i','',$UserName));
             $TransientKey = ArrayValue('TransientKey', $Response, NULL);
             // Validate remote credentials against local auth tables
             $AuthResponse = $this->ProcessAuthorizedRequest($Provider['AuthenticationKey'], $UserUnique, $UserName, $TransientKey, array(
                'Email'  => $UserEmail,
    +                'Roles' => $Roles
             ));
    then in 

      public function ProcessAuthorizedRequest($ProviderKey, $UserKey, $UserName = NULL, $ForeignNonce = NULL, $OptionalPayload = NULL) {

          if ($Association['UserID'] > 0) {
             // Retrieved an association which has been fully linked to a local user

             // We'll be tracked by Vanilla cookies now, so delete the Proxy cookie if it exists...
             $this->DeleteCookie();
    +           $Roles = $OptionalPayload["Roles"];
    +        if ($Roles) {
    +                $um = new UserModel();
    +                $um->SaveRoles($Association['UserID'], $Roles);
    +        }

             // Log the user in
             $this->SetIdentity($Association['UserID'], FALSE);
             // Check for a request token that needs to be converted to a
    Now this works; however it doesn't work the first time around, and I can't find a hook to place the initial roles (when the user is created).

    It is passed in the HMAC cookie, but where can I hook so it does this after it created the user so i can apply the new roles?
  • judgejjudgej
    however it doesn't work the first time around
    Exactly what I found, and just could not see a way around it. That's why I resorted to a cron job to create very basic user records with the roles, and when the user logs in for the first time, the user account gets tidied up by Vanilla.

    If you can figure out this one, it would be a real benefit to this plugin. Ultimately, what ProxyConnect needs is hooks in the right place so that additional plugins can be written to handle roles, addresses, thumbnails, personal statements, accreditations etc. whatever people want to pull across from their CMS.
  • carlokokcarlokok New
    Indeed. However I don't know enough about this framework to know where to place something like this.
Sign In or Register to comment.