-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider disabling user editing for SAML-provisioned users #15
Comments
Because per-field edit capabilities isn't really tenable in WordPress, we could instead filter |
The Shibboleth plugin has a couple clever workarounds for this, that I'm adapting for a planned switchover from that plugin to this one. (So all the code below will be a weird mix of code for this plugin, and code from that one, because I haven't written and tested it all yet.) When a user is created, they drop a user_meta note to track if the user was created via their plugin. Here you could do something like:
(There's an edge case here where a "local" user with the same username as a SAML user might not get this flag set properly. As an example, part of my new-site process involves creating several users whose usernames match their SAML usernames, prior to installing and activating SSO. Maybe add the same hook to wp_saml_auth_existing_user_authenticated too?) Then, if a user was created this way, first you use a bit of JavaScript to disable the relevant fields.
(The Shibboleth plugin makes this a bit more complicated, since it allows you to specify, for each managed field, whether a user should be allowed to edit it. For me, an all-or-nothing is sufficient.) Also, just in case a user gets clever and disables JavaScript (thus making the form fields edit-able by the client again), hook into the actual form submission and change the values back before submitting:
I suppose the question here, is whether this is something that comes up often enough that it should be made into a checkbox in this plugin, as opposed to having users implement it themselves. Which is a valid question! There are good arguments both ways. |
If a user was created through the SAML IDP, we may want to consider having a feature where user editing is disabled for SAML-provisioned users.
Similarly, we may want to update the details for a SAML-provisioned user each time they log in through their IDP.
The text was updated successfully, but these errors were encountered: