You are here

function samlauth_form_user_form_alter in SAML Authentication 8.3

Same name and namespace in other branches
  1. 4.x samlauth.module \samlauth_form_user_form_alter()

Implements hook_form_FORM_ID_alter() for the user edit form.

File

./samlauth.module, line 33
Allows users to authenticate against an external SAML identity provider.

Code

function samlauth_form_user_form_alter(&$form, FormStateInterface $form_state) {

  // Only affect SAML-linked users without a role that is allowed to log in
  // locally.

  /** @var \Drupal\user\Entity\User $account */
  $account = $form_state
    ->getBuildInfo()['callback_object']
    ->getEntity();
  if ($account
    ->id() == \Drupal::currentUser()
    ->id() && !array_intersect($account
    ->getRoles(), \Drupal::config(SamlController::CONFIG_OBJECT_NAME)
    ->get('drupal_login_roles') ?? [])) {

    /** @var \Drupal\externalauth\AuthmapInterface $authmap */
    $authmap = \Drupal::service('externalauth.authmap');
    if ($authmap
      ->get($account
      ->id(), 'samlauth')) {

      // Hide the change password field, because the password has no function
      // for users who cannot log in directly.
      $form['account']['pass']['#access'] = FALSE;

      // Also lock the e-mail field. We could leave it as-is because the user
      // is very likely to not know their current password and therefore unable
      // to change the e-mail anyway. Locking the field and removing the
      // "current password" field just makes things more understandable for the
      // average user. (This is the '>80% use case'; it is actually possible
      // for a user whose account was created locally and linked to a SAML
      // login afterwards, to know their password. If not being able to change
      // their e-mail is a concern, then this needs to be solved by role /
      // configuration tweaking, by custom code or by an issue in the samlauth
      // module queue that makes a clear case for solving this in a general
      // manner.)
      $form['account']['mail']['#disabled'] = TRUE;
      $form['account']['current_pass']['#access'] = FALSE;
      $form['account']['saml_notice'] = [
        '#markup' => t('<strong>NOTE:</strong> E-mail address and password are controlled via SAML.'),
        '#weight' => -1,
      ];
      $url = \Drupal::config(SamlController::CONFIG_OBJECT_NAME)
        ->get('idp_change_password_service');
      if ($url && UrlHelper::isValid($url, TRUE)) {
        $form['account']['saml_notice']['#markup'] .= ' ' . t('Please visit <a href="@link">this link</a> to change.', [
          '@link' => $url,
        ]);
      }
    }
  }
}