MSFTMPP-404: Split auth/oidc:manageconnection permissions

db/access.php

@@ -32,4 +32,16 @@ $capabilities = [
         'contextlevel' => CONTEXT_USER,
         'archetypes' => []
     ],
-];
+    'auth/oidc:manageconnectionconnect' => [
+        'riskbitmask' => RISK_CONFIG,
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_USER,
+        'archetypes' => []
+    ],
+    'auth/oidc:manageconnectiondisconnect' => [
+        'riskbitmask' => RISK_CONFIG,
+        'captype' => 'write',
+        'contextlevel' => CONTEXT_USER,
+        'archetypes' => []
+    ],
+];

lang/en/auth_oidc.php

@@ -119,7 +119,9 @@ $string['eventuserconnected'] = 'User connected to OpenID Connect';
 $string['eventuserloggedin'] = 'User Logged In with OpenID Connect';
 $string['eventuserdisconnected'] = 'User disconnected from OpenID Connect';
 
-$string['oidc:manageconnection'] = 'Manage OpenID Connect Connection';
+$string['oidc:manageconnection'] = 'Allow OpenID Connection and Disconnection';
+$string['oidc:manageconnectionconnect'] = 'Allow OpenID Connection';
+$string['oidc:manageconnectiondisconnect'] = 'Allow OpenID Disconnection';
 
 // In the following strings, $a refers to a customizable name for the identity manager. For example, this could be
 // "Office 365", "OpenID Connect", etc.

lib.php

@@ -46,3 +46,44 @@ function auth_oidc_initialize_customicon($filefullname) {
         theme_reset_all_caches();
     }
 }
+
+/**
+ * Check for connection abilities.
+ *
+ * @param int $userid Moodle user id to check permissions for.
+ * @param string $mode Mode to check
+ *                     'connect' to check for connect specific capability
+ *                     'disconnect' to check for disconnect capability.
+ *                     'both' to check for disconnect and connect capability.
+ * @param boolean $require Use require_capability rather than has_capability.
+ * @return boolean True if has capability.
+ */
+function auth_oidc_connectioncapability($userid, $mode = 'connect', $require = false) {
+    $check = 'has_capability';
+    if ($require) {
+        // If requiring the capability and user has manageconnection than checking connect and disconnect is not needed.
+        $check = 'require_capability';
+        if (has_capability('auth/oidc:manageconnection', \context_user::instance($userid), $userid)) {
+            return true;
+        }
+    } else if ($check('auth/oidc:manageconnection', \context_user::instance($userid), $userid)) {
+        return true;
+    }
+
+    $result = false;
+    switch ($mode) {
+        case "connect":
+            $result = $check('auth/oidc:manageconnectionconnect', \context_user::instance($userid), $userid);
+            break;
+        case "disconnect":
+            $result = $check('auth/oidc:manageconnectiondisconnect', \context_user::instance($userid), $userid);
+            break;
+        case "both":
+            $result = $check('auth/oidc:manageconnectionconnect', \context_user::instance($userid), $userid);
+            $result = $result && $check('auth/oidc:manageconnectiondisconnect', \context_user::instance($userid), $userid);
+    }
+    if ($require) {
+        return true;
+    }
+    return $result;
+}

ucp.php

@@ -23,11 +23,10 @@
 
 require_once(__DIR__.'/../../config.php');
 require_once(__DIR__.'/auth.php');
+require_once(__DIR__.'/lib.php');
 
 require_login();
 
-require_capability('auth/oidc:manageconnection', \context_user::instance($USER->id), $USER->id);
-
 $action = optional_param('action', null, PARAM_TEXT);
 
 $oidctoken = $DB->get_record('auth_oidc_token', ['username' => $USER->username]);
@@ -41,11 +40,13 @@ if (!empty($action)) {
         if (!is_enabled_auth('oidc')) {
             throw new \moodle_exception('erroroidcnotenabled', 'auth_oidc');
         }
+        auth_oidc_connectioncapability($USER->id, 'connect', true);
         $auth = new \auth_oidc\loginflow\authcode;
         $auth->set_httpclient(new \auth_oidc\httpclient());
         $auth->initiateauthrequest();
     } else if ($action === 'disconnectlogin' && $oidcloginconnected === true) {
         if (is_enabled_auth('manual') === true) {
+            auth_oidc_connectioncapability($USER->id, 'disconnect', true);
             $auth = new \auth_plugin_oidc;
             $auth->set_httpclient(new \auth_oidc\httpclient());
             $auth->disconnect();
@@ -77,18 +78,22 @@ if (!empty($action)) {
     if ($oidcloginconnected === true) {
         echo \html_writer::tag('h4', get_string('ucp_status_enabled', 'auth_oidc'), ['class' => 'notifysuccess']);
         if (is_enabled_auth('manual') === true) {
-            $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'disconnectlogin']);
-            $strdisconnect = get_string('ucp_login_stop', 'auth_oidc', $opname);
-            $linkhtml = \html_writer::link($connectlinkuri, $strdisconnect);
-            echo \html_writer::tag('h5', $linkhtml);
-            echo \html_writer::span(get_string('ucp_login_stop_desc', 'auth_oidc', $opname));
+            if (auth_oidc_connectioncapability($USER->id, 'disconnect')) {
+                $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'disconnectlogin']);
+                $strdisconnect = get_string('ucp_login_stop', 'auth_oidc', $opname);
+                $linkhtml = \html_writer::link($connectlinkuri, $strdisconnect);
+                echo \html_writer::tag('h5', $linkhtml);
+                echo \html_writer::span(get_string('ucp_login_stop_desc', 'auth_oidc', $opname));
+            }
         }
     } else {
         echo \html_writer::tag('h4', get_string('ucp_status_disabled', 'auth_oidc'), ['class' => 'notifyproblem']);
-        $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'connectlogin']);
-        $linkhtml = \html_writer::link($connectlinkuri, get_string('ucp_login_start', 'auth_oidc', $opname));
-        echo \html_writer::tag('h5', $linkhtml);
-        echo \html_writer::span(get_string('ucp_login_start_desc', 'auth_oidc', $opname));
+        if (auth_oidc_connectioncapability($USER->id, 'connect')) {
+            $connectlinkuri = new \moodle_url('/auth/oidc/ucp.php', ['action' => 'connectlogin']);
+            $linkhtml = \html_writer::link($connectlinkuri, get_string('ucp_login_start', 'auth_oidc', $opname));
+            echo \html_writer::tag('h5', $linkhtml);
+            echo \html_writer::span(get_string('ucp_login_start_desc', 'auth_oidc', $opname));
+        }
     }
     echo \html_writer::end_div();
 

version.php

@@ -23,7 +23,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2015111907;
+$plugin->version = 2015111908;
 $plugin->requires = 2015111600;
 $plugin->component = 'auth_oidc';
 $plugin->maturity = MATURITY_STABLE;