Set WP User Role conditionally using Auth.0 rule at SSO - wordpress

Currently building a WordPress intranet site, that authenticates users using Auth.0 SSO, against the company's Azure AD. The SSO functions properly, but I'm trying to get more granular with access control using Auth.0's "rules". The ideal result is a rule that specifies (updates) the user's WP Profile with a user role based on their job title from AD. The code below has been modified from one of Auth.0's rule templates, and runs clean. However, it doesn't work - I'm not sure what particular arguments/functions I need to actually update the role in WordPress. I'll be up-front and admit that I'm far from proficient in JS. Any thoughts?
function (user, context, callback) {
if (user.job_title === 'IT/Marketing Coordinator') {
user.vip = true;
}
callback(null, user, context);
}
In the example above, it successfully sets "user.vip" to "true" (which really doesn't prove much except that the rule executes without error.

this rule, as you said, is fine and will add this attribute.
The issue is that you will need to do something from the wordpress side to make it work (that the user has a vip flag doesn't mean anything to WordPress).
What you can do is hook to the auth0_user_login action that is fired each time a user logs in and based on the user profile set/change the user role.
This is how you hook to the action:
add_action( 'auth0_user_login', 'auth0UserLoginAction', 0,5 );
function auth0UserLoginAction($user_id, $user_profile, $is_new, $id_token, $access_token) {
...
}
I think you will find this WP doc useful to update the user role: https://codex.wordpress.org/Function_Reference/wp_update_user

Related

How to remove user id on url drupal 9

http://localhost/drupal-9.3.3/user/372#myaccount
How to remove user id on URL . Please suggest how to change these type security isssue.
If you want to change the url structure to remove ids, use pathauto https://www.drupal.org/project/pathauto
You can choose to have an url structure for user profiles that can be generated from any user field.
Someone told me that everything you write on the front end or in your main folder is always just basically a suggestion a.k.a. not secure.
Good ways to secure site:
Authenticate users using backend like firebase read/write permissions
Use randomized urls / keys (which firebase also does)
Also catch exceptions and deal with them, perferably at the the place where that function is created, not when it is executed:
Example
yes:
function() => {
// do something
//catch error
}
function(); // call function;
No:
function().then(error => { //do something})

drupal webform - credit card resubmit on admin edit

I have a client who has a drupal website installation. On the site there is a form that allows unauthorized/anonymous users to submit a request for some official data of which there is a charge.
The problem is when the admin goes in to the website and fills in the some additional fields (used for office processing) the credit card charged again.
Is there a way to provide a save button for admins that does NOT charge? or have it only charge once - if it fails on web then admins can run it via other means.
I'm not sure to exactly understand issue but you can change form with an hook_form_alter : https://api.drupal.org/api/drupal/modules%21system%21system.api.php/function/hook_form_alter/7.x
So, it will allow you to modify form before rendering and maybe delete credit card service callback with condition on current user logged.
Something like
function MYMODULENAME_form_alter(&$form, &$form_state, $form_id){
global $user;
if($form_id == 'my_credi_card_form_id' && $user->uid == 1){
//superadmin or use user_has_role function for group of user with permissions
// dump form structure to identify callback and after unset it from form
}
}

Secure way to store pending user's password in Meteor

For my Meteor application, I would like to have the following signup process:
User registers username, email and password. (He's not able to log in yet.)
Confirmation email sent [Accounts.sendEnrollmentEmail]
User confirms email [Accounts.onEnrollmentLink]
User is created. [Accounts.createUser] (He's able to log in.)
In order to achieve this, I feel like I would have to store the plain text password in a table of temporary users (step 1) in order to create the actual user later (step 3). Obviously this is a horrible idea.
I could of course only ask for the password as of step 3 and create the user at once - but it's not the behavior I would like to achieve.
So: Is there a proper way to store the password securely to later pass it to the user creation? Or is there a way to create a not-loginable users?
There is not much you have to do yourself as Meteor brings everything you need for save password storage when you create a user with the built in methods. So you should use these methods from the beginning (Your step 1: Accounts.createUser, step 2: Accounts.sendVerificationEmail, step 3: Accounts.verifyEmail, step 4 isn't necessary anymore).
Now to get where you want to be you can use an approach like David Weldon suggested but use Accounts.validateLoginAttempt on the sever side. That is a little easier and the login isn't allowed in the first place.
For example you could have this code server side:
Accounts.validateLoginAttempt(function(loginAttempt){
if (!loginAttempt.allowed) {
// Only tell the user that something went wrong but not what to enhance security
throw new Meteor.Error(901, 'Your login credentials are wrong. Try again.');
} else {
// In some cases this method isn't invoked with a correct user object...
if (!loginAttempt.user) {
throw new Meteor.Error(902, 'No valid user object. Make sure to validate your email address first.');
}
// If email verification is required check if the user has a valid email address and don't allow the login if he has none
if (!loginAttempt.user.emails[0].verified) {
throw new Meteor.Error(902, 'Your email address has to be verified first.');
}
// We have a correct login!
return true;
}
});
And now on the client side you can use a logic like this for the login
Meteor.loginWithPassword(email, password, function(callback) {
if (callback === undefined) {
// Your login logic
} else if (callback.error == 902) {
// Your "not verfied" logic
} else {
// Your other login errors logic
}
}
Note that you may have to adjust the registration process a little bit, too, as Meteor per default tries to login users directly after registration but this will not be possible anymore.
Also note that you may use Accounts.validateLoginAttempt for more than just that. For example you also could implement a logic here to only allow a certain amount of bad login attempts from the same IP.
We've used a slightly different pattern in our app based on the accounts package
User registers
User is logged in normally
Out main site template conditions content with
<template name="main">
{{#if currentUser}}
{{#if verified }}
...
{{else}}
Notice to user to look for their verification email
{{/if}}
{{/if}}
</template>
Based on a helper function
Template.main.helpers({
verified: function() { return Meteor.user().emails[0].verified; }
});
This meets the requirement that the user can't do much if anything until they have been verified yet uses the accounts package in a simple and secure way.
I could see taking a related approach using iron:router as well.

How can I redirect users when they log into Drupal UNLESS they are placing an order?

I want to redirect users when they log in to my site to a specific page. I currently do this in hook_user:
if($op == 'login') {
drupal_goto('defaut');
}
This mostly works fine. However, I'm using Ubercart to take orders, and have it configured to automatically log in new users. This happens before the conditional action to update the order status to "Completed" is triggered. This means that when the user is logged in automatically, my hook_user redirects the user, and bypasses the remaining order processing.
At the moment, I'm working around this by checking debug_backtrace for the calling function uc_cart_checkout_complete somewhere in the call stack, but this sounds like a really dirty way to resolve it.
Can anyone suggest a cleaner way to achieve my conditional redirection without hacking great chunks of Ubercart?
You can use hooks of ubercart (for example, hook_order, hook_cart etc of ubercart, see in ubercart\docs\hooks.php ), add $_SESSION['no_redirect'] = true; there, and change you redirection:
if($op == 'login' && !$_SESSION['no_redirect']) {
unset($_SESSION['no_redirect']);
drupal_goto('defaut');
}

How to perform Request destination in user page

I am trying to redirect any logged user attempts to access /user.
In my module the next code to redirect after login:
function ccmm_user($op, &$edit, &$account, &$category = NULL)
{
switch($op){
case 'login':
$_REQUEST['destination'] = 'admin/';
break;
}
}
This is working. Then I try with case 'view': but it is useless.
It sounds like you want the user to never get to the /user page, whether on login or even by going there manually.
In that case you should do a simple check in a hook_init function like this:
function ccmm_init() {
if ( $_REQUEST['q'] == '/user' ) {
drupal_goto('/admin'); // Or where ever you want to send them
}
}
Of course there are a lot of checks you should do, and you may want to look into using the Global Redirect module, don't worry it's only 8k in size so the concern about adding yet another module is not such a problem in this case.
You could try the Login Destination module rather than writing your own code.
If you're not familiar with the Login Toboggan module, you should be.
A better way could be to use hook_menu_alter in your module to just remove the menu entry for /user/%user_uid_optional, or move it to another URL.
That way you won't only be handling just logins (as you currently do), but ANY access to /user/ (caveat: including those by the admin user). Or you could use the same hook to modify the access check and only grant it to users with higher permissions, like administer users

Resources