in classes/loginflow/base.php [466:514]
protected function checkrestrictions(\auth_oidc\jwt $idtoken) {
$restrictions = (isset($this->config->userrestrictions)) ? trim($this->config->userrestrictions) : '';
$hasrestrictions = false;
$userpassed = false;
if ($restrictions !== '') {
$restrictions = explode("\n", $restrictions);
// Match "UPN" (Azure-specific) if available, otherwise match oidc-standard "sub".
$tomatch = $idtoken->claim('upn');
if (empty($tomatch)) {
$tomatch = $idtoken->claim('sub');
}
foreach ($restrictions as $restriction) {
$restriction = trim($restriction);
if ($restriction !== '') {
$hasrestrictions = true;
ob_start();
try {
$pattern = '/'.$restriction.'/';
if (isset($this->config->userrestrictionscasesensitive) && !$this->config->userrestrictionscasesensitive) {
$pattern .= 'i';
}
$count = @preg_match($pattern, $tomatch, $matches);
if (!empty($count)) {
$userpassed = true;
break;
}
} catch (\Exception $e) {
$debugdata = [
'exception' => $e,
'restriction' => $restriction,
'tomatch' => $tomatch,
];
\auth_oidc\utils::debug('Error running user restrictions.', 'handleauthresponse', $debugdata);
}
$contents = ob_get_contents();
ob_end_clean();
if (!empty($contents)) {
$debugdata = [
'contents' => $contents,
'restriction' => $restriction,
'tomatch' => $tomatch,
];
\auth_oidc\utils::debug('Output while running user restrictions.', 'handleauthresponse', $debugdata);
}
}
}
}
return ($hasrestrictions === true && $userpassed !== true) ? false : true;
}