humanmade · roborourke · Jan 15, 2025
diff --git a/inc/namespace.php b/inc/namespace.php
@@ -1,5 +1,5 @@
 <?php
 /*
 Plugin Name: WP Simple SAML
 Description: Integrate SAML 2.0 IDP without the hassle
 Author: Shady Sharaf, Human Made
@@ -57,7 +57,7 @@

 	// is_plugin_active_for_network can only be used once the plugin.php file is
 	// included. More information can be found here:
 	// https://codex.wordpress.org/Function_Reference/is_plugin_active_for_network
 	if ( ! function_exists( 'is_plugin_active_for_network' ) ) {
 		require_once( ABSPATH . '/wp-admin/includes/plugin.php' );
 	}
@@ -71,10 +71,10 @@
 function rewrites() {
 	add_rewrite_endpoint( 'sso', EP_ROOT, true );

 	// Attempt to flush rewrite rules on plugin activation, not perfect but it should work at least the first time
 	if ( ! get_option( 'wpsimplesaml_rr_flushed' ) ) {
 		flush_rewrite_rules();
 		do_action( 'rri_flush_rules' ); // Proper flushing on VIP environments
 		add_option( 'wpsimplesaml_rr_flushed', true );
 	}
 }
@@ -87,7 +87,7 @@
 function endpoint() {
 	global $wp_query;

 	// Do not block access to SSO endpoint if blog is not public
 	if ( class_exists( 'ds_more_privacy_options' ) ) {
 		global $ds_more_privacy_options; // @codingStandardsIgnoreLine
 		remove_action( 'template_redirect', [ $ds_more_privacy_options, 'ds_users_authenticator' ] );
@@ -97,7 +97,7 @@
 		return;
 	}

 	// If we have no valid instance, bail completely
 	if ( ! instance() ) {
 		wp_die( esc_html__( 'Invalid SSO settings. Contact your administrator.', 'wp-simple-saml' ) );
 	}
@@ -107,7 +107,7 @@

 	do_action( 'wpsimplesaml_action_' . $action );

 	// If nothing happens,
 	do_action( 'wpsimplesaml_invalid_endpoint', $action );
 	// i haz no monies!
 	wp_safe_redirect( home_url(), 404 );
@@ -143,7 +143,7 @@
 		esc_html( apply_filters( 'wpsimplesaml_log_in_text', __( 'SSO Login', 'wp-simple-saml' ) ) )
 	);

 	echo $output; // WPCS: xss ok
 }

 /**
@@ -161,7 +161,7 @@
 		return;
 	}

 	// Bail if no SAML2_Auth instance is available, mainly if no configuration was found
 	if ( ! instance() ) {
 		return;
 	}
@@ -259,10 +259,10 @@

 	$user = get_sso_user();
 	if ( is_a( $user, 'WP_User' ) ) {
 		// Set authentication cookie
 		signon( $user );

 		// Check if we need to add the user to the site if he's not there already
 		if ( ! is_user_member_of_blog( $user->ID, get_current_blog_id() ) ) {
 			/**
 			 * Filters whether users should be added to sites they've not initially signed in to
@@ -328,7 +328,7 @@
 	exit;
 }

 /**
 * @return Auth|\WP_Error
 */
 function process_response() {
@@ -354,7 +354,7 @@
 		//
 		// This is low-risk, as if the Destination validates against the `sso_sp_base`,
 		// it should be safe to also assume it as safe to be used on the current URL too.
 		$response = new SAML2Response( $saml->getSettings(), $_POST['SAMLResponse'] );
 		if ( $response->getXMLDocument()->documentElement->hasAttribute( 'Destination' ) ) {
 			$host = parse_url( $config['sp']['assertionConsumerService']['url'], PHP_URL_HOST );
 			$original_host = $_SERVER['HTTP_HOST'];
@@ -406,7 +406,7 @@
 /**
 * Create a user and/or update his role based on SAML response
 *
 * @param \OneLogin\Saml2\Auth $saml
 *
 * @return \WP_User|\WP_Error
 */
@@ -416,7 +416,7 @@
 	$attributes = $saml->getAttributes();
 	$name_id    = $saml->getNameId();

 	// Check whether email is the unique identifier set in SAML IDP
 	$is_email_auth = 'emailAddress' === substr( $saml->getNameIdFormat(), - strlen( 'emailAddress' ) );

 	if ( $is_email_auth ) {
@@ -544,10 +544,10 @@
 		return;
 	}

 	// Manage super admin flag
 	if ( is_sso_enabled_network_wide() ) {
 		if ( isset( $roles['network'] ) && in_array( 'superadmin', $roles['network'], true ) ) {
-			$roles = array_diff( $roles['network'], [ 'superadmin' ] );
+			$roles['network'] = array_diff( $roles['network'], [ 'superadmin' ] );
 
 			if ( ! is_super_admin( $user->ID ) ) {
 				grant_super_admin( $user->ID );
@@ -558,25 +558,27 @@
 			}
 		}

 		// If we have specific roles for each site
 		if ( isset( $roles['sites'] ) ) {
 			$new_site_ids = array_unique( array_filter( array_map( 'absint', array_keys( $roles['sites'] ) ) ) );
 			$old_site_ids = array_map( 'absint', array_keys( get_blogs_of_user( $user->ID ) ) );

 			// Remove the user from all other sites he shouldn't have access to
 			foreach ( array_diff( $old_site_ids, $new_site_ids ) as $site_id ) {
 				remove_user_from_blog( $user->ID, $site_id );
 			}
 
 			// Add the user to the defined sites, and assign proper role(s)
 			foreach ( $roles['sites'] as $site_id => $site_roles ) {
-				switch_to_blog( $site_id );
-				$user->for_site( $site_id );
-				$user->set_role( reset( $site_roles ) );
+				switch_to_blog( (int) $site_id );
+				$user->for_site( (int) $site_id );
+				add_user_to_blog( (int) $site_id, $user->ID, reset( $site_roles ) );
 
 				foreach ( array_slice( $site_roles, 1 ) as $role ) {
 					$user->add_role( $role );
 				}
+
+				restore_current_blog();
 			}
 		} elseif ( ! isset( $roles['sites'] ) && isset( $roles['network'] ) ) {
 			$all_site_ids = new \WP_Site_Query( [
@@ -586,13 +588,15 @@
 			] );
 
 			foreach ( $all_site_ids->sites as $site_id ) {
-				switch_to_blog( $site_id );
-				$user->for_site( $site_id );
-				$user->set_role( reset( $roles['network'] ) );
+				switch_to_blog( (int) $site_id );
+				$user->for_site( (int) $site_id );
+				add_user_to_blog( (int) $site_id, $user->ID, reset( $roles['network'] ) );
 
 				foreach ( array_slice( $roles['network'], 1 ) as $role ) {
 					$user->add_role( $role );
 				}
+
+				restore_current_blog();
 			}
 		}
 	} else {
@@ -606,7 +610,7 @@
 /**
 * Sign in the user, and store the auth cookie
 *
 * @param \WP_User $user
 */
 function signon( $user ) {
 	wp_set_auth_cookie( $user->ID, true, is_ssl() );
@@ -615,9 +619,9 @@
 /**
 * Forward IdP response to another site
 *
 * @param string $url
 *
 * @return string  $token
 */
 function cross_site_sso_redirect( $url ) {

@@ -633,7 +637,7 @@
 	 * @return bool
 	 */
 	$allowed_hosts = apply_filters( 'wpsimplesaml_allowed_hosts', $allowed_hosts, $host, $url );
 	// Allow local hosts ending in .local
 	if ( '.local' === substr( $host, - strlen( '.local' ) ) ) {
 		$allowed_hosts[] = $host;
 	}
@@ -642,7 +646,7 @@
 		wp_die( sprintf( esc_html__( '%s is not a whitelisted cross-network SSO site.', 'wp-simple-saml' ), esc_html( $host ) ) );
 	}

 	// Workaround for sub-directory installs, as we usually redirect to admin urls
 	$path = wp_parse_url( $url, PHP_URL_PATH );
 	if ( false !== strpos( $path, '/wp-admin' ) ) {
 		// If we have an admin url, we know where to start from!
@@ -684,10 +688,10 @@
 	exit;
 }

 /**
 * Get blog ID of the passed URL, if it is on the same network
 *
 * @param $url
 *
 * @return int Blog ID if found, 0 if not
 */
@@ -717,10 +721,10 @@
 * @return string
 */
 function get_redirection_url() {
 	// Catch the redirection URL from the login page if passed
 	$redirect = isset( $_REQUEST['redirect_to'] ) ? wp_unslash( $_REQUEST['redirect_to'] ) : null; // @codingStandardsIgnoreLine

 	// If no redirection URL exists in the URL query, see if we have one from the SAML response
 	if ( empty( $redirect ) && isset( $_POST['RelayState'] ) ) { // @codingStandardsIgnoreLine
 		$redirect = $_POST['RelayState']; // @codingStandardsIgnoreLine
 	}
@@ -729,7 +733,7 @@
 		$redirect = urldecode( $redirect );
 	}

 	// If redirection URL is invalid or empty, fall back to admin_url()
 	if ( empty( $redirect ) || ( $redirect && ! filter_var( $redirect, FILTER_VALIDATE_URL ) ) ) {
 		$redirect = admin_url();
 	}
@@ -762,8 +766,8 @@
 /**
 * Transform the roles array into a proper network roles array
 *
 * @param \WP_User $user
 * @param array    $attributes
 *
 * @return array
 */
@@ -806,13 +810,13 @@
 		$network_roles = [];

 		// If this is a multisite, the roles array may contain a 'network' key and a 'sites' key. Otherwise, if
 		// it is a flat array, use it to add the roles for all sites
 		if ( is_numeric( key( $roles ) ) ) { // Not an associative array ?
 			if ( is_array( current( $roles ) ) ) {
 				// Nested array? then it is a `sites` definition, expect array of roles for each site
 				$network_roles['sites'] = $roles;
 			} else {
 				// Flat array of strings ? then expect it is roles to apply on all sites
 				$network_roles['network'] = $roles;
 			}
 		} elseif ( ! isset( $roles['network'] ) && ! isset( $roles['sites'] ) ) { // Associative but no 'network' or 'sites' keys ?