adding role requirement check

Author: vbhayden

auth.php

@@ -108,6 +108,10 @@ private function attempt_jwt_login() {
         if (is_null($payload))
             return;
 
+        $satisfiesRoleRequirement = doesPayloadSatisfyRoleRequirement($payload);
+        if ($satisfiesRoleRequirement == false)
+            return;
+
         /**
          * We allow the environment to specify whether to perform an issuer check.
          * 
@@ -217,6 +221,39 @@ private function attempt_jwt_login() {
         complete_user_login($updatedUser);
     }
 
+    /**
+     * Check whether a parsed JWT payload satisfies the environmental role checks.
+     * 
+     * This will require that the following two values are specified:
+     *      
+     *      1. MOODLE_JWT_CHECK_FOR_ROLE: Whether to use this check, expects string `true`.
+     *      2. MOODLE_JWT_REQUIRED_ROLE: The role to require before allowing logins.
+     *      3. MOODLE_JWT_ROLE_FIELD: The field to check for the specified role.
+     * 
+     * If either of these are not present, then the user will be able to log in.
+     */
+    function doesPayloadSatisfyRoleRequirement($payload) {
+	
+        $checkForRole = getenv('MOODLE_JWT_USE_ROLE_CHECK'); 
+        $roleField = getenv('MOODLE_JWT_ROLE_FIELD');      
+        $requiredRole = getenv('MOODLE_JWT_REQUIRED_ROLE');
+
+        if (empty($checkForRole) || $checkForRole != "true") {
+            return true;
+        }
+
+        if (empty($roleField) || empty($requiredRole)) {
+            return false;
+        }
+    
+        if (isset($payload->$roleField) && is_array($payload->$roleField)) {
+            return in_array($requiredRole, $payload->$roleField);
+        }
+    
+        // Return false if the field is not present or the role is not found
+        return false;
+    }
+
     /**
      * Use the information provided in the cert + environment variables to determine
      * the expected username for this account.

debug/check.php

@@ -35,29 +35,40 @@
 
 function doesPayloadSatisfyRoleRequirement($payload) {
 
-    $roleField = getenv('MOODLE_JWT_ROLE_FIELD');      
-    $requiredRole = getenv('MOODLE_JWT_REQUIRED_ROLE');
-    
-    if (empty($roleField) || empty($requiredRole)) {
-        return true;
-    }
+	$checkForRole = getenv('MOODLE_JWT_USE_ROLE_CHECK'); 
+	$roleField = getenv('MOODLE_JWT_ROLE_FIELD');      
+	$requiredRole = getenv('MOODLE_JWT_REQUIRED_ROLE');
 
-    if (isset($payload->$roleField) && is_array($payload->$roleField)) {
-        return in_array($requiredRole, $payload->$roleField);
-    }
+	if (empty($checkForRole) || $checkForRole != "true") {
+		return true;
+	}
+
+	if (empty($roleField) || empty($requiredRole)) {
+		return false;
+	}
 
-    // Return false if the field is not present or the role is not found
-    return false;
+	if (isset($payload->$roleField) && is_array($payload->$roleField)) {
+		return in_array($requiredRole, $payload->$roleField);
+	}
+
+	// Return false if the field is not present or the role is not found
+	return false;
 }
 
 $payloadWithRole = (object)[
     'roles' => ['admin', 'editor', 'user']
 ];
 
+putenv("MOODLE_JWT_USE_ROLE_CHECK=");
 echo "EXPECTING SUCCESS ...";
 echo true == doesPayloadSatisfyRoleRequirement($payloadWithRole);
 echo "\n";
 
+putenv("MOODLE_JWT_USE_ROLE_CHECK=true");
+echo "EXPECTING FAILURE ...";
+echo false == doesPayloadSatisfyRoleRequirement($payloadWithRole);
+echo "\n";
+
 echo "EXPECTING FAILURE ...";
 putenv("MOODLE_JWT_ROLE_FIELD=non-existent-property");
 putenv("MOODLE_JWT_REQUIRED_ROLE=admin");