Merge branch 'MDL-78219-main' of https://github.com/snake/moodle

moodle · Jan 23, 2024 · 8811491 · 8811491
2 parents 1074455 + 0e74284
commit 8811491
Show file tree

Hide file tree

Showing 4 changed files with 259 additions and 104 deletions.
diff --git a/auth/lti/auth.php b/auth/lti/auth.php
@@ -110,8 +110,7 @@ public function complete_login(array $launchdata, moodle_url $returnurl, int $pr
 
         // The platform user is already linked with a user account.
         if ($this->get_user_binding($launchdata['iss'], $launchdata['sub'])) {
-            // Always sync the PII, regardless of whether we're already authenticated as this user or not.
-            $user = $this->find_or_create_user_from_launch($launchdata, true);
+            $user = $this->find_or_create_user_from_launch($launchdata);
 
             if (isloggedin()) {
                 // If a different user is currently logged in, authenticate the linked user instead.
@@ -121,11 +120,13 @@ public function complete_login(array $launchdata, moodle_url $returnurl, int $pr
                 }
                 // If the linked user is already logged in, skip the call to complete_user_login() because this affects deep linking
                 // workflows on sites publishing and consuming resources on the same site, due to the regenerated sesskey.
-                return;
             } else {
                 complete_user_login($user);
-                return;
+
             }
+            // Always sync the PII, regardless of whether we're already authenticated as this user or not.
+            $this->update_user_account($user, $launchdata, $launchdata['iss']);
+            return;
         }
 
         // The platform user is not bound to a user account, check provisioning mode now.
@@ -136,7 +137,9 @@ public function complete_login(array $launchdata, moodle_url $returnurl, int $pr
         switch ($provisioningmode) {
             case self::PROVISIONING_MODE_AUTO_ONLY:
                 // Automatic provisioning - this will create/migrate a user account and log the user in.
-                complete_user_login($this->find_or_create_user_from_launch($launchdata, true, $legacyconsumersecrets));
+                $user = $this->find_or_create_user_from_launch($launchdata, $legacyconsumersecrets);
+                complete_user_login($user);
+                $this->update_user_account($user, $launchdata, $launchdata['iss']);
                 break;
             case self::PROVISIONING_MODE_PROMPT_NEW_EXISTING:
             case self::PROVISIONING_MODE_PROMPT_EXISTING_ONLY:
@@ -211,21 +214,13 @@ public function find_or_create_user_from_membership(array $member, string $iss,
      * itself and pass relevant data in - as auth_plugin_lti::complete_login() does.
      *
      * @param array $launchdata all data in the decoded JWT including iss and sub.
-     * @param bool $syncpicture whether to sync the user's picture with the picture sent in the launch.
      * @param array $legacyconsumersecrets all secrets found for the legacy consumer, facilitating user migration.
      * @return stdClass the Moodle user who is mapped to the platform user identified in the JWT data.
      */
-    public function find_or_create_user_from_launch(array $launchdata, bool $syncpicture = false,
-            array $legacyconsumersecrets = []): stdClass {
-
-        if (!$syncpicture) {
-            unset($launchdata['picture']);
-        }
+    public function find_or_create_user_from_launch(array $launchdata, array $legacyconsumersecrets = []): stdClass {
 
         if ($binduser = $this->get_user_binding($launchdata['iss'], $launchdata['sub'])) {
-            $user = \core_user::get_user($binduser);
-            $this->update_user_account($user, $launchdata, $launchdata['iss']);
-            return \core_user::get_user($user->id);
+            return \core_user::get_user($binduser);
         } else {
             // Is the intent to migrate a user account used in legacy launches?
             if (!empty($legacyconsumersecrets)) {
@@ -234,11 +229,10 @@ public function find_or_create_user_from_launch(array $launchdata, bool $syncpic
                     $usermigrationclaim = new user_migration_claim($launchdata, $legacyconsumersecrets);
                     $username = 'enrol_lti' .
                         sha1($usermigrationclaim->get_consumer_key() . '::' .
-                        $usermigrationclaim->get_consumer_key() .':' .$usermigrationclaim->get_user_id());
-                    if ($user = \core_user::get_user_by_username($username)) {
+                            $usermigrationclaim->get_consumer_key() . ':' . $usermigrationclaim->get_user_id());
+                    if ($user = core_user::get_user_by_username($username)) {
                         $this->create_user_binding($launchdata['iss'], $launchdata['sub'], $user->id);
-                        $this->update_user_account($user, $launchdata, $launchdata['iss']);
-                        return \core_user::get_user($user->id);
+                        return core_user::get_user($user->id);
                     }
                 } catch (Exception $e) {
                     // There was an issue validating the user migration claim. We don't want to fail auth entirely though.
@@ -247,9 +241,12 @@ public function find_or_create_user_from_launch(array $launchdata, bool $syncpic
                         "'{$launchdata['iss']}'. The migration claim could not be validated. A new account will be created.");
                 }
             }
+            // At the point of the creation, to ensure the user_created event correctly reflects the creating user of '0' (the user
+            // performing the action), ensure any active session is terminated and an empty session initialised.
+            $this->empty_session();
+
             $user = $this->create_new_account($launchdata, $launchdata['iss']);
-            $this->update_user_account($user, $launchdata, $launchdata['iss']);
-            return \core_user::get_user($user->id);
+            return core_user::get_user($user->id);
         }
     }
 
@@ -301,6 +298,17 @@ public function get_user_binding(string $issuer, string $sub): ?int {
         return $binduser;
     }
 
+    /**
+     * If there's an existing session, inits an empty session.
+     *
+     * @return void
+     */
+    protected function empty_session(): void {
+        if (isloggedin()) {
+            \core\session\manager::init_empty_session();
+        }
+    }
+
     /**
      * Check whether a provisioning mode is valid or not.
      *
@@ -361,7 +369,7 @@ protected function create_new_account(array $userdata, string $iss): stdClass {
      * @param array $userdata the user data coming from either a launch or membership service call.
      * @param string $iss the issuer to which the user belongs.
      */
-    protected function update_user_account(stdClass $user, array $userdata, string $iss): void {
+    public function update_user_account(stdClass $user, array $userdata, string $iss): void {
         global $CFG;
         require_once($CFG->dirroot.'/user/lib.php');
         if ($user->auth !== 'lti') {

diff --git a/auth/lti/login.php b/auth/lti/login.php
@@ -72,8 +72,9 @@
     } else {
         // Create a new account and link it, logging the user in.
         $auth = get_auth_plugin('lti');
-        $newuser = $auth->find_or_create_user_from_launch($launchdata, true);
+        $newuser = $auth->find_or_create_user_from_launch($launchdata);
         complete_user_login($newuser);
+        $auth->update_user_account($newuser, $launchdata, $launchdata['iss']);
 
         $PAGE->set_context(context_system::instance());
         $PAGE->set_url(new moodle_url('/auth/lti/login.php'));