Merge pull request #1 from cuny-academic-commons/fix/standard-auth-ch…

…anges

Adjust standard authentication behavior

README.md

@@ -4,14 +4,9 @@ Add CUNY SSO integration to Commons In A Box
 
 ## Authorization and Authentication
 
-When this plugin is activated, authorization via CUNY SSO is required for a user to register. The visitor's browser session is redirected to CUNY SSO for authentication. When authentication with CUNY SSO is successful, the information about that session is sent back to the Commons In A Box site, and the SSO
-attributes are checked to determine if the user is authorized to register. If they are, the user can continue with registration.
+When this plugin is activated, authorization via CUNY SSO is **required** for a user to register.
 
-Site admins can add users manually to the site and allow them to login with the standard WordPress form at `/login` or `/wp-login.php`.
-
-Site admins can add a user's CUNY SSO EMPLID to the user's profile to connect an existing user account with CUNY SSO.
-
-By default, authorization is SPS specific. The `sps_cbox_sso_can_register` filter can be used to override this behavior based on the available SAML attributes.
+The visitor's browser session is redirected to CUNY SSO for authentication. When authentication with CUNY SSO is successful, information about that session is sent back to the Commons In A Box site, and the SSO attributes are checked to determine if the user is authorized to register. If they are, the user can continue with registration.
 
 ### Paths
 
@@ -24,11 +19,29 @@ The plugin manages the following paths:
 
 ## Configuration
 
+### IdP and SP Metadata
+
 The plugin has a default configuration for CUNY SSO identiy provider (IdP) and service provider (SP) metadata.
 
 The CUNY SSO IdP configuration was based on [the metadata file provided by CUNY IT](https://ssologin.cuny.edu/idp/metadata/oam-saml-metadata.xml).
 
-Both configurations can be overridden or modified with the `sps_cbox_sso_saml_settings` filter.
+Both IdP and SP configurations can be overridden or modified with the `sps_cbox_sso_saml_settings` filter.
+
+### SAML Attributes
+
+The plugin manages authorization via the SAML attributes expected by CUNY SPS OpenLab.
+
+The `sps_cbox_sso_can_register` filter can be used to override this behavior based on the available SAML attributes.
+
+### Users
+
+Once active, SSO is required for new user regitration. If needed, site admins can add users manually and allow them to login with standard WordPress authentication.
+
+Site admins can also add a user's CUNY SSO EMPLID to a user's profile to connect an existing user account with CUNY SSO.
+
+Site admins can also remove a user's CUNY SSO EMPLID to disconnect a user account from CUNY SSO.
+
+If the `cuny_sso_allow_wp_login` option is set to `yes` on the site, any user without an EMPLID can login with their WordPress credentials.
 
 ### Certificates
 

plugin.php

@@ -2,7 +2,7 @@
 /**
  * Plugin Name:  SPS CBOX SSO
  * Description:  Add CUNY SSO integration to Commons In A Box
- * Version:      0.1.1
+ * Version:      0.1.2
  * Plugin URI:   https://github.com/cuny-academic-commons/sps-cbox-sso
  * Author:       CUNY Academic Commons
  * Author URI:   https://commons.gc.cuny.edu

src/Init.php

@@ -221,22 +221,9 @@ public static function redirect_wp_login_attempts(): void {
 			$user = get_user_by( 'email', $user_name );
 		}
 
-		if ( $user ) {
-			$emplid = get_user_meta( $user->ID, 'cuny_sso_emplid', true );
-
-			// This user has previously authenticated with CUNY SSO.
-			if ( $emplid ) {
-				wp_safe_redirect( Config::login_url() );
-				exit;
-			}
-
-			$allow_wp_login = get_user_meta( $user->ID, 'cuny_sso_allow_wp_login', true );
-
-			// An administrator has not flagged this account as okay for WP login.
-			if ( ! $allow_wp_login ) {
-				wp_safe_redirect( Config::login_url() );
-				exit;
-			}
+		if ( $user && ! self::user_can_use_wp_auth( $user->ID ) ) {
+			wp_safe_redirect( Config::login_url() );
+			exit;
 		}
 	}
 
@@ -252,12 +239,46 @@ public static function filter_signup_url(): string {
 	/**
 	 * Filter the default logout URL to go through the SSO logout endpoint.
 	 *
+	 * @param string $logout_url The default logout URL.
 	 * @return string $logout_url The default logout URL.
 	 */
-	public static function filter_logout_url(): string {
+	public static function filter_logout_url( $logout_url ): string {
+		$user = wp_get_current_user();
+
+		if ( self::user_can_use_wp_auth( $user->ID ) ) {
+			return $logout_url;
+		}
+
 		return Config::logout_url();
 	}
 
+	/**
+	 * Determine whether a user is allowed to login with WordPress.
+	 *
+	 * @param int $user_id The ID of the user.
+	 * @return bool Whether the user is allowed to login with WordPress.
+	 */
+	public static function user_can_use_wp_auth( $user_id ): bool {
+		$emplid = get_user_meta( $user_id, 'cuny_sso_emplid', true );
+
+		// This user has already authenticated with CUNY SSO.
+		if ( $emplid ) {
+			return false;
+		}
+
+		// Is this specific user allowed to login with WordPress?
+		$user_allow_wp_login = get_user_meta( $user_id, 'cuny_sso_allow_wp_login', true );
+
+		// Are all non-SSO users allowed to login with WordPress?
+		$site_allow_wp_login = get_option( 'cuny_sso_allow_wp_login', 'no' );
+
+		if ( $user_allow_wp_login || 'yes' === $site_allow_wp_login ) {
+			return true;
+		}
+
+		return false;
+	}
+
 	/**
 	 * Filter whether a user can register based on their SPS attributes.
 	 *