From 4a29387d2c127bd544f354155b31fc884293e6c9 Mon Sep 17 00:00:00 2001
From: Glenn Rice <grice1@missouriwestern.edu>
Date: Tue, 1 Oct 2024 19:58:12 -0500
Subject: [PATCH] For LTI 1.3 only consider roles in the context for
 automatically created users.

This is to fix the issue discussed in
https://webwork.maa.org/moodle/mod/forum/discuss.php?d=8565#p21514.

If someone needs the institution roles, then the new
$LTI{v1p3}{AllowInstitutionRoles} option defined in conf/authen_LTI_1_3
can be set to 1, and then those roles will also be considered.
---
 conf/authen_LTI_1_3.conf.dist      | 8 +++++++-
 lib/WeBWorK/Authen/LTIAdvantage.pm | 9 +++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/conf/authen_LTI_1_3.conf.dist b/conf/authen_LTI_1_3.conf.dist
index 60e2cf0b31..72ded20756 100644
--- a/conf/authen_LTI_1_3.conf.dist
+++ b/conf/authen_LTI_1_3.conf.dist
@@ -127,7 +127,7 @@ $LTI{v1p3}{LMSrolesToWeBWorKroles} = {
 	'observer'                => 'guest',
 	'visitor'                 => 'guest',
 	'Guest'                   => 'guest',
-	'Administrator'           => 'professor',
+	'Administrator'           => 'admin',
 	'Designer'                => 'professor',
 	'instructor'              => 'professor',
 	'Instructor'              => 'professor',
@@ -144,6 +144,12 @@ $LTI{v1p3}{LMSrolesToWeBWorKroles} = {
 	'Grader'                  => 'ta',
 };
 
+# The LMS reports roles context (or membership), instititution, and system
+# roles.  WeBWorK always ignores system roles, and also ignores institution
+# roles by default.  In some cases you may also want to consider institution
+# roles.  In that case set the following to 1.
+$LTI{v1p3}{AllowInstitutionRoles} = 0;
+
 ################################################################################################
 # Local routine to modify users
 ################################################################################################
diff --git a/lib/WeBWorK/Authen/LTIAdvantage.pm b/lib/WeBWorK/Authen/LTIAdvantage.pm
index 6803bdc4b8..b9fb4b9f0a 100644
--- a/lib/WeBWorK/Authen/LTIAdvantage.pm
+++ b/lib/WeBWorK/Authen/LTIAdvantage.pm
@@ -369,10 +369,15 @@ sub create_user ($self) {
 	# Determine the roles defined for this user defined in the LTI request and assign a permission level on that basis.
 	my @LTIroles = @{ $self->{roles} };
 
-	# Restrict to institution and context roles and remove the purl link portion (ignore system roles).
+	# Restrict to context roles and remove the purl link portion.  System roles are always ignored, but institution
+	# roles are also included if $LTI{v1p3}{AllowInstitutionRoles} = 1.
 	@LTIroles =
 		map {s|^[^#]*#||r}
-		grep {m!^http://purl.imsglobal.org/vocab/lis/v2/(membership|institution\/person)#!} @LTIroles;
+		grep {
+			m!^http://purl.imsglobal.org/vocab/lis/v2/membership#!
+			|| ($ce->{LTI}{v1p3}{AllowInstitutionRoles}
+				&& m!^http://purl.imsglobal.org/vocab/lis/v2/institution\/person#!)
+		} @LTIroles;
 
 	if ($ce->{debug_lti_parameters}) {
 		warn "The adjusted LTI roles defined for this user are: \n-- " . join("\n-- ", @LTIroles),