Merge branch 'develop'

src/Controller/Component/CRUDComponent.php

@@ -674,6 +674,7 @@ class CRUDComponent extends Component
                 if (!empty($pruneEmptyDisabled) && !$metaTemplate->enabled) {
                     unset($metaTemplates[$i]);
                 }
+                continue;
             }
             $newestTemplate = $this->MetaTemplates->getNewestVersion($metaTemplate);
             if (!empty($newestTemplate) && !empty($metaTemplates[$i])) {
@@ -787,12 +788,6 @@ class CRUDComponent extends Component
                 if (empty($data)) {
                     throw new NotFoundException(__('Invalid {0}.', $this->ObjectAlias));
                 }
-                if (isset($params['beforeSave'])) {
-                    $data = $params['beforeSave']($data);
-                    if ($data === false) {
-                        throw new NotFoundException(__('Could not save {0} due to the input failing to meet expectations. Your input is bad and you should feel bad.', $this->ObjectAlias));
-                    }
-                }
                 $this->Controller->set('id', $data['id']);
                 $this->Controller->set('data', $data);
                 $this->Controller->set('bulkEnabled', false);

src/Controller/UsersController.php

@@ -96,8 +96,12 @@ class UsersController extends AppController
                         throw new MethodNotAllowedException(__('Invalid individual selected - when KeyCloak is enabled, only one user account may be assigned to an individual.'));
                     }
                 }
-                $this->Users->enrollUserRouter($data);
                 return $data;
+            },
+            'afterSave' => function($data) {
+                if (Configure::read('keycloak.enabled')) {
+                    $this->Users->enrollUserRouter($data);
+                }
             }
         ]);
         $responsePayload = $this->CRUD->getResponsePayload();
@@ -282,16 +286,21 @@ class UsersController extends AppController
             'beforeSave' => function($data) use ($currentUser, $validRoles) {
                 if (!$currentUser['role']['perm_admin']) {
                     if ($data['organisation_id'] !== $currentUser['organisation_id']) {
-                        throw new MethodNotAllowedException(__('You do not have permission to remove the given user.'));
+                        throw new MethodNotAllowedException(__('You do not have permission to delete the given user.'));
                     }
                     if (!in_array($data['role_id'], array_keys($validRoles))) {
-                        throw new MethodNotAllowedException(__('You do not have permission to remove the given user.'));
+                        throw new MethodNotAllowedException(__('You do not have permission to delete the given user.'));
+                    }
+                }
+                if (Configure::read('keycloak.enabled')) {
+                    if (!$this->Users->deleteUser($data)) {
+                        throw new MethodNotAllowedException(__('Could not delete the user from KeyCloak. Please try again later, or consider disabling the user instead.'));
                     }
                 }
                 return $data;
             }
         ];
-        $this->CRUD->delete($id);
+        $this->CRUD->delete($id, $params);
         $responsePayload = $this->CRUD->getResponsePayload();
         if (!empty($responsePayload)) {
             return $responsePayload;

src/Model/Behavior/AuthKeycloakBehavior.php

@@ -84,6 +84,62 @@ class AuthKeycloakBehavior extends Behavior
         );
     }
 
+    public function getUserIdByUsername(string $username)
+    {
+        $response = $this->restApiRequest(
+            '%s/admin/realms/%s/users/?username=' . urlencode($username),
+            [],
+            'GET'
+        );
+        if (!$response->isOk()) {
+            $responseBody = json_decode($response->getStringBody(), true);
+            $this->_table->auditLogs()->insert([
+                'request_action' => 'keycloakGetUser',
+                'model' => 'User',
+                'model_id' => 0,
+                'model_title' => __('Failed to fetch user ({0}) from keycloak', $username),
+                'changed' => ['error' => empty($responseBody['errorMessage']) ? 'Unknown error.' : $responseBody['errorMessage']]
+            ]);
+        }
+        $responseBody = json_decode($response->getStringBody(), true);
+        if (empty($responseBody[0]['id'])) {
+            return false;
+        }
+        return $responseBody[0]['id'];
+    }
+
+    public function deleteUser($data): bool
+    {
+        $userId = $this->getUserIdByUsername($data['username']);
+        if ($userId === false) {
+            $this->_table->auditLogs()->insert([
+                'request_action' => 'keycloakUserDeletion',
+                'model' => 'User',
+                'model_id' => 0,
+                'model_title' => __('User {0} not found in keycloak, deleting the user locally.', $data['username']),
+                'changed' => []
+            ]);
+            return true;
+        }
+        $response = $this->restApiRequest(
+            '%s/admin/realms/%s/users/' . urlencode($userId),
+            [],
+            'delete'
+        );
+        if (!$response->isOk()) {
+            $responseBody = json_decode($response->getStringBody(), true);
+            $this->_table->auditLogs()->insert([
+                'request_action' => 'keycloakUserDeletion',
+                'model' => 'User',
+                'model_id' => 0,
+                'model_title' => __('Failed to delete user {0} ({1}) in keycloak', $data['username'], $userId),
+                'changed' => ['error' => empty($responseBody['errorMessage']) ? 'Unknown error.' : $responseBody['errorMessage']]
+            ]);
+            return false;
+        }
+        return true;
+    }
+
     public function enrollUser($data): bool
     {
         $roleConditions = [