diff --git a/src/Security/SamlUser.php b/src/Security/SamlUser.php index b9170023..20997421 100644 --- a/src/Security/SamlUser.php +++ b/src/Security/SamlUser.php @@ -9,6 +9,7 @@ class SamlUser implements SamlUserInterface private $email; private $givenName; private $surname; + private $assignedRoles = []; public function __construct( private string $id, @@ -26,6 +27,15 @@ public function setSamlAttributes(array $attributes): void if (!empty($attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0])) { $this->surname = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0]; } + // Add a custom attribute called 'AssignedRoles' and supply zero or more + // of the following values in the SAML response: + // "App.EmailSendAllowed" -- If included, the user will be able to send + // their schedule as an email. + // "App.Manager" -- If included, the user will be able to manage term + // visibility and export configurations. + if (!empty($attributes['AssignedRoles'])) { + $this->assignedRoles = $attributes['AssignedRoles']; + } } /** @@ -46,10 +56,12 @@ public function getRoles(): array { $roles = ['ROLE_USER']; - // This is just a placeholder implementation. It should be configurable. - if ($this->email && preg_match('/@middlebury\.edu$/', $this->email)) { + if (!empty($this->assignedRoles) && in_array('App.EmailSendAllowed', $this->assignedRoles)) { $roles[] = 'ROLE_CAN_SEND_EMAIL'; } + if (!empty($this->assignedRoles) && in_array('App.Manager', $this->assignedRoles)) { + $roles[] = 'ROLE_ADMIN'; + } return $roles; }