Merge pull request #5763 from AngelFQC/BT21930

Plugin: Azure: Improvements for existing user verification and scripts to sync users

Author: NicoDucou

main/auth/external_login/login.azure.php

@@ -12,6 +12,16 @@
         api_not_allowed(true);
     }
 
+    $uidField = new ExtraFieldValue('user');
+    $uidValue = $uidField->get_values_by_handler_and_field_variable(
+        $uData['user_id'],
+        AzureActiveDirectory::EXTRA_FIELD_AZURE_UID
+    );
+
+    if (empty($uidValue) || empty($uidValue['value'])) {
+        api_not_allowed(true);
+    }
+
     $azureIdField = new ExtraFieldValue('user');
     $azureIdValue = $azureIdField->get_values_by_handler_and_field_variable(
         $uData['user_id'],

main/inc/lib/usermanager.lib.php

@@ -6249,7 +6249,7 @@ public static function get_favicon_from_url($url1, $url2 = null)
         return $icon_link;
     }
 
-    public static function addUserAsAdmin(User $user)
+    public static function addUserAsAdmin(User $user, bool $andFlush = true)
     {
         if ($user) {
             $userId = $user->getId();
@@ -6260,19 +6260,19 @@ public static function addUserAsAdmin(User $user)
             }
 
             $user->addRole('ROLE_SUPER_ADMIN');
-            self::getManager()->updateUser($user, true);
+            self::getManager()->updateUser($user, $andFlush);
         }
     }
 
-    public static function removeUserAdmin(User $user)
+    public static function removeUserAdmin(User $user, bool $andFlush = true)
     {
         $userId = (int) $user->getId();
         if (self::is_admin($userId)) {
             $table = Database::get_main_table(TABLE_MAIN_ADMIN);
             $sql = "DELETE FROM $table WHERE user_id = $userId";
             Database::query($sql);
             $user->removeRole('ROLE_SUPER_ADMIN');
-            self::getManager()->updateUser($user, true);
+            self::getManager()->updateUser($user, $andFlush);
         }
     }
 

plugin/azure_active_directory/CHANGELOG.md

@@ -1,5 +1,26 @@
 # Azure Active Directory Changelog
 
+## 2.4 - 2024-08-28
+
+* Added a new user extra field to save the unique Azure ID (internal UID).
+This requires manually doing the following changes to your database if you are upgrading from v2.3
+```sql
+INSERT INTO extra_field (extra_field_type, field_type, variable, display_text, default_value, field_order, visible_to_self, visible_to_others, changeable, filter, created_at) VALUES (1, 1, 'azure_uid', 'Azure UID (internal ID)', '', 1, null, null, null, null, '2024-08-28 00:00:00');
+```
+* Added a new option to set the order to verify the existing user in Chamilo
+```sql
+INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url, access_url_changeable, access_url_locked) VALUES ('azure_active_directory_existing_user_verification_order', 'azure_active_directory', 'setting', 'Plugins', '', 'azure_active_directory', '', '', '', 1, 1, 0);
+```
+* Added a new option to update user info during the login proccess.
+```sql
+INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url, access_url_changeable, access_url_locked) VALUES ('azure_active_directory_update_users', 'azure_active_directory', 'setting', 'Plugins', '', 'azure_active_directory', '', '', '', 1, 1, 0);
+```
+* Added new scripts to syncronize users and groups with users and usergroups (classes). And an option to deactivate accounts in Chamilo that do not exist in Azure.
+```sql
+INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url, access_url_changeable, access_url_locked) VALUES ('azure_active_directory_tenant_id', 'azure_active_directory', 'setting', 'Plugins', '', 'azure_active_directory', '', '', '', 1, 1, 0);
+INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url, access_url_changeable, access_url_locked) VALUES ('azure_active_directory_deactivate_nonexisting_users', 'azure_active_directory', 'setting', 'Plugins', '', 'azure_active_directory', '', '', '', 1, 1, 0);
+```
+
 ## 2.3 - 2021-03-30
 
 * Added admin, session admin and teacher groups. This requires adding the following fields to your database if 

plugin/azure_active_directory/lang/dutch.php

@@ -22,11 +22,18 @@
     .'U zult moeten kopiëren de <code>/plugin/azure_active_directory/layout/login_form.tpl</code> bestand in het <code>/main/template/overrides/layout/</code> dossier.';
 $strings['management_login_name'] = 'Naam voor de beheeraanmelding';
 $strings['management_login_name_help'] = 'De standaardinstelling is "Beheer login".';
+$strings['existing_user_verification_order'] = 'Existing user verification order';
+$strings['existing_user_verification_order_help'] = 'This value indicates the order in which the user will be searched in Chamilo to verify its existence. '
+    .'By default is <code>1, 2, 3</code>.'
+    .'<ol><li>EXTRA_FIELD_ORGANISATION_EMAIL (<code>mail</code>)</li><li>EXTRA_FIELD_AZURE_ID (<code>mailNickname</code>)</li><li>EXTRA_FIELD_AZURE_UID (<code>id</code> of <code>objectId</code>)</li></ol>';
 $strings['OrganisationEmail'] = 'Organisatie e-mail';
 $strings['AzureId'] = 'Azure ID (mailNickname)';
+$strings['AzureUid'] = 'Azure UID (internal ID)';
 $strings['ManagementLogin'] = 'Beheer Login';
 $strings['InvalidId'] = 'Deze identificatie is niet geldig (verkeerde log-in of wachtwoord). Errocode: AZMNF';
 $strings['provisioning'] = 'Geautomatiseerde inrichting';
+$strings['update_users'] = 'Update users';
+$strings['update_users_help'] = 'Allow user data to be updated at the start of the session.';
 $strings['provisioning_help'] = 'Maak automatisch nieuwe gebruikers (als studenten) vanuit Azure wanneer ze niet in Chamilo zijn.';
 $strings['group_id_admin'] = 'Groeps-ID voor platformbeheerders';
 $strings['group_id_admin_help'] = 'De groeps-ID is te vinden in de details van de gebruikersgroep en ziet er ongeveer zo uit: ae134eef-cbd4-4a32-ba99-49898a1314b6. Indien leeg, wordt er automatisch geen gebruiker aangemaakt als admin.';
@@ -35,3 +42,7 @@
 $strings['group_id_teacher'] = 'Groeps-ID voor docenten';
 $strings['group_id_teacher_help'] = 'De groeps-ID voor docenten. Indien leeg, wordt er automatisch geen gebruiker aangemaakt als docent.';
 $strings['additional_interaction_required'] = 'Er is aanvullende interactie vereist om u te authenticeren. Log rechtstreeks in via <a href="https://login.microsoftonline.com" target="_blank">uw authenticatiesysteem</a> en kom dan terug naar deze pagina om in te loggen.';
+$strings['tenant_id'] = 'Mandanten-ID';
+$strings['tenant_id_help'] = 'Required to run scripts.';
+$strings['deactivate_nonexisting_users'] = 'Deactivate non-existing users';
+$strings['deactivate_nonexisting_users_help'] = 'Compare registered users in Chamilo with those in Azure and deactivate accounts in Chamilo that do not exist in Azure.';

plugin/azure_active_directory/lang/english.php

@@ -22,16 +22,27 @@
     .'You will need to copy the <code>/plugin/azure_active_directory/layout/login_form.tpl</code> file to <code>/main/template/overrides/layout/</code> directory.';
 $strings['management_login_name'] = 'Name for the management login';
 $strings['management_login_name_help'] = 'The default is "Management Login".';
+$strings['existing_user_verification_order'] = 'Existing user verification order';
+$strings['existing_user_verification_order_help'] = 'This value indicates the order in which the user will be searched in Chamilo to verify its existence. '
+    .'By default is <code>1, 2, 3</code>.'
+    .'<ol><li>EXTRA_FIELD_ORGANISATION_EMAIL (<code>mail</code>)</li><li>EXTRA_FIELD_AZURE_ID (<code>mailNickname</code>)</li><li>EXTRA_FIELD_AZURE_UID (<code>id</code> or <code>objectId</code>)</li></ol>';
 $strings['OrganisationEmail'] = 'Organisation e-mail';
 $strings['AzureId'] = 'Azure ID (mailNickname)';
+$strings['AzureUid'] = 'Azure UID (internal ID)';
 $strings['ManagementLogin'] = 'Management Login';
 $strings['InvalidId'] = 'Login failed - incorrect login or password. Errocode: AZMNF';
 $strings['provisioning'] = 'Automated provisioning';
 $strings['provisioning_help'] = 'Automatically create new users (as students) from Azure when they are not in Chamilo.';
+$strings['update_users'] = 'Update users';
+$strings['update_users_help'] = 'Allow user data to be updated at the start of the session.';
 $strings['group_id_admin'] = 'Group ID for platform admins';
 $strings['group_id_admin_help'] = 'The group ID can be found in the user group details, looking similar to this: ae134eef-cbd4-4a32-ba99-49898a1314b6. If empty, no user will be automatically created as admin.';
 $strings['group_id_session_admin'] = 'Group ID for session admins';
 $strings['group_id_session_admin_help'] = 'The group ID for session admins. If empty, no user will be automatically created as session admin.';
 $strings['group_id_teacher'] = 'Group ID for teachers';
 $strings['group_id_teacher_help'] = 'The group ID for teachers. If empty, no user will be automatically created as teacher.';
 $strings['additional_interaction_required'] = 'Some additional interaction is required to authenticate you. Please login directly through <a href="https://login.microsoftonline.com" target="_blank">your authentication system</a>, then come back to this page to login.';
+$strings['tenant_id'] = 'Tenant ID';
+$strings['tenant_id_help'] = 'Required to run scripts.';
+$strings['deactivate_nonexisting_users'] = 'Deactivate non-existing users';
+$strings['deactivate_nonexisting_users_help'] = 'Compare registered users in Chamilo with those in Azure and deactivate accounts in Chamilo that do not exist in Azure.';

plugin/azure_active_directory/lang/french.php

@@ -22,16 +22,27 @@
     .'Vous devez, pour cela, copier le fichier <code>/plugin/azure_active_directory/layout/login_form.tpl</code> dans le répertoire <code>/main/template/overrides/layout/</code>.';
 $strings['management_login_name'] = 'Nom du login de gestion';
 $strings['management_login_name_help'] = 'Le nom par défaut est "Login de gestion".';
+$strings['existing_user_verification_order'] = 'Existing user verification order';
+$strings['existing_user_verification_order_help'] = 'This value indicates the order in which the user will be searched in Chamilo to verify its existence. '
+    .'By default is <code>1, 2, 3</code>.'
+    .'<ol><li>EXTRA_FIELD_ORGANISATION_EMAIL (<code>mail</code>)</li><li>EXTRA_FIELD_AZURE_ID (<code>mailNickname</code>)</li><li>EXTRA_FIELD_AZURE_UID (<code>id</code> ou <code>objectId</code>)</li></ol>';
 $strings['OrganisationEmail'] = 'E-mail professionnel';
 $strings['AzureId'] = 'ID Azure (mailNickname)';
+$strings['AzureUid'] = 'Azure UID (internal ID)';
 $strings['ManagementLogin'] = 'Login de gestion';
 $strings['InvalidId'] = 'Échec du login - nom d\'utilisateur ou mot de passe incorrect. Errocode: AZMNF';
 $strings['provisioning'] = 'Création automatisée';
 $strings['provisioning_help'] = 'Créer les utilisateurs automatiquement (en tant qu\'apprenants) depuis Azure s\'ils n\'existent pas encore dans Chamilo.';
+$strings['update_users'] = 'Actualiser les utilisateurs';
+$strings['update_users_help'] = 'Permettre d\'actualiser les données de l\'utilisateur lors du démarrage de la session.';
 $strings['group_id_admin'] = 'ID du groupe administrateur';
 $strings['group_id_admin_help'] = 'L\'id du groupe peut être trouvé dans les détails du groupe, et ressemble à ceci : ae134eef-cbd4-4a32-ba99-49898a1314b6. Si ce champ est laissé vide, aucun utilisateur ne sera créé en tant qu\'administrateur.';
 $strings['group_id_session_admin'] = 'ID du groupe administrateur de sessions';
 $strings['group_id_session_admin_help'] = 'The group ID for session admins. Si ce champ est laissé vide, aucun utilisateur ne sera créé en tant qu\'administrateur de sessions.';
 $strings['group_id_teacher'] = 'ID du groupe enseignant';
 $strings['group_id_teacher_help'] = 'The group ID for teachers. Si ce champ est laissé vide, aucun utilisateur ne sera créé en tant qu\'enseignant.';
 $strings['additional_interaction_required'] = 'Une interaction supplémentaire est nécessaire pour vous authentifier. Veuillez vous connecter directement auprès de <a href="https://login.microsoftonline.com" target="_blank">votre système d\'authentification</a>, puis revenir ici pour vous connecter.';
+$strings['tenant_id'] = 'ID du client';
+$strings['tenant_id_help'] = 'Nécessaire pour exécuter des scripts.';
+$strings['deactivate_nonexisting_users'] = 'Deactivate non-existing users';
+$strings['deactivate_nonexisting_users_help'] = 'Compare registered users in Chamilo with those in Azure and deactivate accounts in Chamilo that do not exist in Azure.';

plugin/azure_active_directory/lang/spanish.php

@@ -22,16 +22,27 @@
     .'Para ello, tendrá que copiar el archivo <code>/plugin/azure_active_directory/layout/login_form.tpl</code> en la carpeta <code>/main/template/overrides/layout/</code>.';
 $strings['management_login_name'] = 'Nombre del bloque de login de gestión';
 $strings['management_login_name_help'] = 'El nombre por defecto es "Login de gestión".';
+$strings['existing_user_verification_order'] = 'Orden de verificación de usuario existente';
+$strings['existing_user_verification_order_help'] = 'Este valor indica el orden en que el usuario serña buscado en Chamilo para verificar su existencia. '
+    .'Por defecto es <code>1, 2, 3</code>.'
+    .'<ol><li>EXTRA_FIELD_ORGANISATION_EMAIL (<code>mail</code>)</li><li>EXTRA_FIELD_AZURE_ID (<code>mailNickname</code>)</li><li>EXTRA_FIELD_AZURE_UID (<code>id</code> o <code>objectId</code>)</li></ol>';
 $strings['OrganisationEmail'] = 'E-mail profesional';
 $strings['AzureId'] = 'ID Azure (mailNickname)';
+$strings['AzureUid'] = 'UID Azure (ID interno)';
 $strings['ManagementLogin'] = 'Login de gestión';
 $strings['InvalidId'] = 'Problema en el login - nombre de usuario o contraseña incorrecto. Errocode: AZMNF';
 $strings['provisioning'] = 'Creación automatizada';
 $strings['provisioning_help'] = 'Crear usuarios automáticamente (como alumnos) desde Azure si no existen en Chamilo todavía.';
+$strings['update_users'] = 'Actualizar los usuarios';
+$strings['update_users_help'] = 'Permite actualizar los datos del usuario al iniciar sesión.';
 $strings['group_id_admin'] = 'ID de grupo administrador';
 $strings['group_id_admin_help'] = 'El ID de grupo se encuentra en los detalles del grupo en Azure, y parece a: ae134eef-cbd4-4a32-ba99-49898a1314b6. Si deja este campo vacío, ningún usuario será creado como administrador.';
 $strings['group_id_session_admin'] = 'ID de grupo admin de sesiones';
 $strings['group_id_session_admin_help'] = 'El ID de grupo para administradores de sesiones. Si deja este campo vacío, ningún usuario será creado como administrador de sesiones.';
 $strings['group_id_teacher'] = 'ID de grupo profesor';
 $strings['group_id_teacher_help'] = 'El ID de grupo para profesores. Si deja este campo vacío, ningún usuario será creado como profesor.';
 $strings['additional_interaction_required'] = 'Alguna interacción adicional es necesaria para identificarlo/a. Por favor conéctese primero a través de su <a href="https://login.microsoftonline.com" target="_blank">sistema de autenticación</a>, luego regrese aquí para logearse.';
+$strings['tenant_id'] = 'Id. del inquilino';
+$strings['tenant_id_help'] = 'Necesario para ejecutar scripts.';
+$strings['deactivate_nonexisting_users'] = 'Desactivar usuarios no existentes';
+$strings['deactivate_nonexisting_users_help'] = 'Compara los usuarios registrados en Chamilo con los de Azure y desactiva las cuentas en Chamilo que no existan en Azure.';