From c28dfe3a7d9d2f4f698e5ea630dc338576499b9c Mon Sep 17 00:00:00 2001
From: Dan Dalpiaz <dalpiaz1@illinois.edu>
Date: Mon, 29 Jul 2019 09:49:17 -0500
Subject: [PATCH 1/8] add option to disable account creation if no mapped roles
 or default role

---
 options-admin.php | 5 ++++-
 shibboleth.php    | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/options-admin.php b/options-admin.php
index aa0f415..3e5f2a3 100644
--- a/options-admin.php
+++ b/options-admin.php
@@ -594,11 +594,14 @@ function AttributeAccessMethod()
 						<option value="' . $key . '"' .  selected( $default_role, $key ) . '>' . __($name) . '</option>';
 			}
 ?>
+							<option value="noaccount" <?php selected( $default_role, "noaccount" )?> ><?php _e('Do NOT create an account', 'shibboleth') ?></option>
 						</select>
 
 						<p><?php _e('If a user does not map into any of the roles above, they will'
 							. ' be placed into the default role.  If there is no default role, the'
-							. ' user will not be able to log in with Shibboleth.', 'shibboleth'); ?></p>
+							. ' user will not be assigned a role when creating an account with'
+							. ' Shibboleth.  If "Do NOT create an account" is selected, the user'
+							. ' will not be able to create an account with Shibboleth.', 'shibboleth'); ?></p>
 					</td>
 				</tr>
 
diff --git a/shibboleth.php b/shibboleth.php
index 4c4ca3d..f4df4e7 100644
--- a/shibboleth.php
+++ b/shibboleth.php
@@ -614,9 +614,10 @@ function shibboleth_authenticate_user() {
 function shibboleth_create_new_user( $user_login, $user_email ) {
 	$create_accounts = shibboleth_getoption( 'shibboleth_create_accounts' );
 	$shib_logging = shibboleth_getoption( 'shibboleth_logging', array(), true );
+	$user_role = shibboleth_get_user_role();
 
 	if ( $create_accounts != false ) {
-		if ( empty( $user_login ) || empty( $user_email ) ) {
+		if ( empty( $user_login ) || empty( $user_email ) || $user_role === "noaccount" ) {
 			return null;
 		}
 
@@ -633,7 +634,6 @@ function shibboleth_create_new_user( $user_login, $user_email ) {
 
 			// always update user data and role on account creation
 			shibboleth_update_user_data( $user->ID, true );
-			$user_role = shibboleth_get_user_role();
 			$user->set_role( $user_role );
 			do_action( 'shibboleth_set_user_roles', $user );
 			if ( in_array( 'account_create', $shib_logging ) || defined( 'WP_DEBUG' ) && WP_DEBUG ) {

From d0ef39cb2e631df57ac8a336429c28a8fa2c2dcc Mon Sep 17 00:00:00 2001
From: Dan Dalpiaz <dalpiaz1@illinois.edu>
Date: Mon, 29 Jul 2019 13:06:13 -0500
Subject: [PATCH 2/8] update role name for _no_account

---
 options-admin.php | 2 +-
 shibboleth.php    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/options-admin.php b/options-admin.php
index 3e5f2a3..1757ec1 100644
--- a/options-admin.php
+++ b/options-admin.php
@@ -594,7 +594,7 @@ function AttributeAccessMethod()
 						<option value="' . $key . '"' .  selected( $default_role, $key ) . '>' . __($name) . '</option>';
 			}
 ?>
-							<option value="noaccount" <?php selected( $default_role, "noaccount" )?> ><?php _e('Do NOT create an account', 'shibboleth') ?></option>
+							<option value="_no_account" <?php selected( $default_role, "_no_account" ); ?>><?php _e('Do NOT create an account', 'shibboleth') ?></option>
 						</select>
 
 						<p><?php _e('If a user does not map into any of the roles above, they will'
diff --git a/shibboleth.php b/shibboleth.php
index f4df4e7..d19661b 100644
--- a/shibboleth.php
+++ b/shibboleth.php
@@ -617,7 +617,7 @@ function shibboleth_create_new_user( $user_login, $user_email ) {
 	$user_role = shibboleth_get_user_role();
 
 	if ( $create_accounts != false ) {
-		if ( empty( $user_login ) || empty( $user_email ) || $user_role === "noaccount" ) {
+		if ( empty( $user_login ) || empty( $user_email ) || $user_role === "_no_account" ) {
 			return null;
 		}
 

From 1e40c67be8db77b4c5534188a7f0a05c830069ce Mon Sep 17 00:00:00 2001
From: Dan Dalpiaz <dalpiaz1@illinois.edu>
Date: Mon, 12 Aug 2019 15:35:34 -0500
Subject: [PATCH 3/8] rename labels

---
 options-admin.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/options-admin.php b/options-admin.php
index 1757ec1..8435fc7 100644
--- a/options-admin.php
+++ b/options-admin.php
@@ -587,20 +587,20 @@ function AttributeAccessMethod()
 					<th scope="row"><?php _e('Default Role', 'shibboleth') ?></th>
 					<td>
 						<select id="default_role" name="default_role" <?php if ( defined( 'SHIBBOLETH_DEFAULT_ROLE' ) ) { disabled( $default_role, SHIBBOLETH_DEFAULT_ROLE ); } ?>>
-							<option value=""><?php _e('(none)', 'shibboleth') ?></option>
+							<option value=""><?php _e('(no role)', 'shibboleth') ?></option>
+							<option value="_no_account" <?php selected( $default_role, "_no_account" ); ?>><?php _e('(skip \'no role\' account creation)', 'shibboleth') ?></option>
 <?php
 			foreach ($wp_roles->role_names as $key => $name) {
 				echo '
 						<option value="' . $key . '"' .  selected( $default_role, $key ) . '>' . __($name) . '</option>';
 			}
 ?>
-							<option value="_no_account" <?php selected( $default_role, "_no_account" ); ?>><?php _e('Do NOT create an account', 'shibboleth') ?></option>
 						</select>
 
 						<p><?php _e('If a user does not map into any of the roles above, they will'
 							. ' be placed into the default role.  If there is no default role, the'
 							. ' user will not be assigned a role when creating an account with'
-							. ' Shibboleth.  If "Do NOT create an account" is selected, the user'
+							. ' Shibboleth.  If "(skip \'no role\' account creation)" is selected, the user'
 							. ' will not be able to create an account with Shibboleth.', 'shibboleth'); ?></p>
 					</td>
 				</tr>

From b4ecfbbfbf02ec715564a3ea109c6e506961a5d2 Mon Sep 17 00:00:00 2001
From: Michael McNeill <michael@michaelryanmcneill.com>
Date: Wed, 17 Jun 2020 13:58:04 -0400
Subject: [PATCH 4/8] Adding <IfModule> flags to prevent fatal errors on
 installs without mod_shib

Resolves #60
---
 shibboleth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shibboleth.php b/shibboleth.php
index 499ee21..aa06c71 100644
--- a/shibboleth.php
+++ b/shibboleth.php
@@ -901,7 +901,7 @@ function shibboleth_insert_htaccess() {
 
 	if ( got_mod_rewrite() && ! $disabled ) {
 		$htaccess = get_home_path() . '.htaccess';
-		$rules = array( 'AuthType shibboleth', 'Require shibboleth' );
+		$rules = array( '<IfModule mod_shib>','AuthType shibboleth', 'Require shibboleth','</IfModule>' );
 		insert_with_markers( $htaccess, 'Shibboleth', $rules );
 	}
 }

From 02ef5eff1aaca27e68b80f38e177de86f3594d03 Mon Sep 17 00:00:00 2001
From: Michael McNeill <michael@michaelryanmcneill.com>
Date: Wed, 17 Jun 2020 14:03:33 -0400
Subject: [PATCH 5/8] Bumping version to 2.2

---
 shibboleth.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/shibboleth.php b/shibboleth.php
index aa06c71..1ae183f 100644
--- a/shibboleth.php
+++ b/shibboleth.php
@@ -4,13 +4,13 @@
  Plugin URI: http://wordpress.org/extend/plugins/shibboleth
  Description: Easily externalize user authentication to a <a href="http://shibboleth.internet2.edu">Shibboleth</a> Service Provider
  Author: Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris
- Version: 2.1.1
+ Version: 2.2
  License: Apache 2 (http://www.apache.org/licenses/LICENSE-2.0.html)
  Text Domain: shibboleth
  */
 
 define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '3.3' );
-define( 'SHIBBOLETH_PLUGIN_VERSION', '2.1.1' );
+define( 'SHIBBOLETH_PLUGIN_VERSION', '2.2' );
 
 /**
  * Determine if this is a new install or upgrade and, if so, run the

From 05b3e70bb86e671c4e3633de10cedecc2baf0577 Mon Sep 17 00:00:00 2001
From: Michael McNeill <michael@michaelryanmcneill.com>
Date: Wed, 17 Jun 2020 14:09:55 -0400
Subject: [PATCH 6/8] Updating readme.txt with proper version and changelog

---
 readme.txt | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/readme.txt b/readme.txt
index 05a15fa..fb8fbf8 100644
--- a/readme.txt
+++ b/readme.txt
@@ -2,8 +2,8 @@
 Contributors: michaelryanmcneill, willnorris, mitchoyoshitaka, jrchamp, dericcrago, bshelton229
 Tags: shibboleth, authentication, login, saml
 Requires at least: 3.3
-Tested up to: 4.9.6
-Stable tag: 2.1.1
+Tested up to: 5.4.2
+Stable tag: 2.2
 
 Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider.
 
@@ -186,6 +186,10 @@ This update brings with it a major change to the way Shibboleth attributes are a
 This update brings with it a major change to the way Shibboleth attributes are accessed. For most users, no additional configuration will be necessary. If you are using a specialized server configuration, such as a Shibboleth Service Provider on a reverse proxy or a server configuration that results in environment variables being sent with the prefix REDIRECT_, you should see the changelog for additional details: https://wordpress.org/plugins/shibboleth/#developers
 
 == Changelog ==
+= version 2.2 (2020-06-xx) =
+ - Implementing <IfModule> conditional for .htaccess to protect against the Shibboleth Apache module not being installed; [thanks to @jrchamp for reporting](https://github.com/michaelryanmcneill/shibboleth/issues/60).
+ - Added an option to disable account creation if no mapped roles or default roles exist; props [@dandalpiaz](https://github.com/michaelryanmcneill/shibboleth/pull/59).
+
 = version 2.1.1 (2018-05-16) =
  - Minor code cleanup for disabling authentication and passsword resets; props [@jrchamp](https://github.com/michaelryanmcneill/shibboleth/commit/06c28bec6d42e92a9338961e2f7ed4a7ae8a0f71#commitcomment-29005081).
  - Resolved a minor problem where setting the SHIBBOLETH_LOGGING constant on PHP 5.5 or below would not work in the administrative interface; props [@jrchamp](https://github.com/michaelryanmcneill/shibboleth/pull/47#discussion_r188758184).

From 385ba902a12dc48c29d27fac3429761ee8f40973 Mon Sep 17 00:00:00 2001
From: Michael McNeill <michael@michaelryanmcneill.com>
Date: Wed, 17 Jun 2020 14:19:49 -0400
Subject: [PATCH 7/8] Adding additional changes to readme.txt

---
 readme.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/readme.txt b/readme.txt
index fb8fbf8..ae3f85c 100644
--- a/readme.txt
+++ b/readme.txt
@@ -189,6 +189,7 @@ This update brings with it a major change to the way Shibboleth attributes are a
 = version 2.2 (2020-06-xx) =
  - Implementing <IfModule> conditional for .htaccess to protect against the Shibboleth Apache module not being installed; [thanks to @jrchamp for reporting](https://github.com/michaelryanmcneill/shibboleth/issues/60).
  - Added an option to disable account creation if no mapped roles or default roles exist; props [@dandalpiaz](https://github.com/michaelryanmcneill/shibboleth/pull/59).
+ - Improve the Shibboleth login link so that when it shows up on a normal request it will correctly still be a login link and will redirect back to the page that showed the login link; props [@Alhrath](https://github.com/michaelryanmcneill/shibboleth/pull/53).
 
 = version 2.1.1 (2018-05-16) =
  - Minor code cleanup for disabling authentication and passsword resets; props [@jrchamp](https://github.com/michaelryanmcneill/shibboleth/commit/06c28bec6d42e92a9338961e2f7ed4a7ae8a0f71#commitcomment-29005081).

From 519c34afa0e64490e8f5639191bbd65233fb881a Mon Sep 17 00:00:00 2001
From: Michael McNeill <michael@michaelryanmcneill.com>
Date: Wed, 17 Jun 2020 14:52:39 -0400
Subject: [PATCH 8/8] Making final updates for release

---
 readme.txt | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/readme.txt b/readme.txt
index ae3f85c..3e71928 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,5 +1,5 @@
 === Shibboleth ===
-Contributors: michaelryanmcneill, willnorris, mitchoyoshitaka, jrchamp, dericcrago, bshelton229
+Contributors: michaelryanmcneill, willnorris, mitchoyoshitaka, jrchamp, dericcrago, bshelton229, Alhrath, dandalpiaz
 Tags: shibboleth, authentication, login, saml
 Requires at least: 3.3
 Tested up to: 5.4.2
@@ -186,7 +186,7 @@ This update brings with it a major change to the way Shibboleth attributes are a
 This update brings with it a major change to the way Shibboleth attributes are accessed. For most users, no additional configuration will be necessary. If you are using a specialized server configuration, such as a Shibboleth Service Provider on a reverse proxy or a server configuration that results in environment variables being sent with the prefix REDIRECT_, you should see the changelog for additional details: https://wordpress.org/plugins/shibboleth/#developers
 
 == Changelog ==
-= version 2.2 (2020-06-xx) =
+= version 2.2 (2020-06-17) =
  - Implementing <IfModule> conditional for .htaccess to protect against the Shibboleth Apache module not being installed; [thanks to @jrchamp for reporting](https://github.com/michaelryanmcneill/shibboleth/issues/60).
  - Added an option to disable account creation if no mapped roles or default roles exist; props [@dandalpiaz](https://github.com/michaelryanmcneill/shibboleth/pull/59).
  - Improve the Shibboleth login link so that when it shows up on a normal request it will correctly still be a login link and will redirect back to the page that showed the login link; props [@Alhrath](https://github.com/michaelryanmcneill/shibboleth/pull/53).