Create UI for Role to CAS/LDAP attribute mappings

[figureone]

Currently can do this with authorizer_allow_login, authorizer_custom_role, and authorizer_automatically_approve_login hooks, but a UI for defining the mappings would be nice.

Implement an extra tab on the Authorizer options page that has a list of rules that you've defined. Would need to cache possible attributes from prior logins to show suggestions to users. (Probably should only cache attributes, not values, because of potential sensitive data).

[figureone]

Related: https://github.com/uhm-coe/authorizer/issues/7

[Scriptkiddi]

Any work done for this already, otherwise I would take a swing at it

[figureone]

A pull request would be awesome, even if partially implemented. The only work we've done so far is conceptual; no code has been written. Here's what we're thinking:

• A new tab in Authorizer Settings, probably called Access Groups.
• On that tab, a list of WordPress role to CAS/LDAP attribute mappings.
• List items should be draggable to change priority (e.g., if a user matches 2 mappings, the first one in the list takes priority).
• Each list item has these fields:
  • CAS/LDAP attribute (select2 dropdown): possible attributes that allows typing in a custom attribute. Should cache a list of possible attributes returned from LDAP or CAS, updated each time someone logs in; we would probably only want to cache attribute names, and not values, for privacy reasons. https://select2.org/
  • Operator (dropdown): match type: contains, equals, does not equal, starts with, etc.
  • Value (text field): value the CAS/LDAP attribute should have in order to match.
  • Role (dropdown): role to assign to users matching this mapping.
• The last list item should be an Add New list item (similar to the structure of the Approved Users list).
• List items can be individually saved via AJAX (like Approved Users list items), or use the standard WordPress options page Save Changes button (form POST). Prefer the former.

CAS/LDAP attributes that are not simple strings may be more difficult; might have to parse multi-valued attributes.

Each list item might also have a button (or be expandable) to show a list of users that have logged in and matched that mapping. But this would require setting some usermeta value indicating which mapping the user matched to last.

There's some complexity in Authorizer for multisite settings, where the multisite settings override subsite settings, but you can leave that part out and just implement it for single site for now to make it easier.

Thanks again for any contributions you end up making!

[pdvsingh]

This functionality would be great to have. We have done some role mapping through wp-hooks via the functions.php file. Having this capability via the UI would be really nice.

[sintos]

I believe this would be the best functionality to add to the plugin, since most of the CAS servers have extra attributes that Authorizer users need to aquire.

[Scriptkiddi]

so Im finally getting around to it, what do you use to develpo wordpress plugins?

[pkarjala]

@Scriptkiddi You may want to start with reading https://developer.wordpress.org/plugins/

You will need a local WordPress install to test with.

[Scriptkiddi]

@pkarjala thanks, but i was looking for an ide setup

[figureone]

Any text editor should do. I use Sublime Text 3. Atom is another good (and free) alternative.

As long as you can monitor the error logs on your test server, you shouldn't require a full-fledged debugger, but if you find yourself needing one to integrate with xdebug, take a look at phpstorm.

error_log( print_r( $any_variable, true ) ); is an easy way to inspect the contents of any variable by dumping them to the web server error log (or wp-content/debug.log if you have WP_DEBUG_LOG set to true). https://codex.wordpress.org/WP_DEBUG