From 45e2dd3d16f8a6621d1baf10b9612710bee19b6d Mon Sep 17 00:00:00 2001 From: Kushtrim Aliu Date: Mon, 13 Jan 2025 21:00:46 +0100 Subject: [PATCH] Deactivating verification The user data from Arrsys are not trusted because of no verification process. Other platforms MUST verify the users via email or mobile number before connecting them. --- src/Http/Handlers/AuthenticateHandler.php | 11 +++++++++++ src/Http/Handlers/AuthorizeHandler.php | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/Http/Handlers/AuthenticateHandler.php b/src/Http/Handlers/AuthenticateHandler.php index 8a069fd..25cf8ff 100644 --- a/src/Http/Handlers/AuthenticateHandler.php +++ b/src/Http/Handlers/AuthenticateHandler.php @@ -45,6 +45,13 @@ public function handle( Request $request, Response $response ): Response { 'form_fields' => $request->getAllQueryParameters(), ); + // IMPORTANT NOTE - UKM Norge: We are not checking permissions here. + // The goal is to connect Arrsys users with users from other platforms (like delta.ukm.no). + // Since there is no verification process and users are added by other users, + // along with the use of multisite functionality and users may have different permissions across various sites, + // we do not need to check permissions. + // The user data from Arrsys are not trusted because of no verification process. Other platforms MUST verify the users via email or mobile number before connecting them. + /* $has_permission = current_user_can( apply_filters( 'oidc_minimal_capability', OIDC_DEFAULT_MINIMAL_CAPABILITY ) ); if ( ! $has_permission ) { login_header( 'OIDC Connect', null, new \WP_Error( 'OIDC_NO_PERMISSION', __( "You don't have permission to use OpenID Connect.", 'openid-connect-server' ) ) ); @@ -53,6 +60,10 @@ public function handle( Request $request, Response $response ): Response { login_header( 'OIDC Connect' ); $this->render_consent_screen( $data ); } + */ + // Therefore we will always render the consent screen when the user is logged in. + login_header( 'OIDC Connect' ); + $this->render_consent_screen( $data ); login_footer(); diff --git a/src/Http/Handlers/AuthorizeHandler.php b/src/Http/Handlers/AuthorizeHandler.php index 96371ce..e3f7efb 100644 --- a/src/Http/Handlers/AuthorizeHandler.php +++ b/src/Http/Handlers/AuthorizeHandler.php @@ -10,7 +10,7 @@ use OpenIDConnectServer\Http\RequestHandler; use OpenIDConnectServer\Storage\ConsentStorage; -const OIDC_DEFAULT_MINIMAL_CAPABILITY = 'edit_posts'; +const OIDC_DEFAULT_MINIMAL_CAPABILITY = 'edit_posts'; // This feature is not used by UKM. Read the information in README.md for more information. class AuthorizeHandler extends RequestHandler { private OAuth2Server $server;