OpenID access control options: trusted provider URL, Launchpad team restrictions. Added an admin panel for setting these and OpenID-only mode, off by default.

To enable the admin panel:
    $config['admin']['panels'][] = 'openid';

Or to set them manually:
    $config['openid']['trusted_provider'] = 'https://login.ubuntu.net/';
    $config['openid']['required_team'] = 'my-project-cabal';
    $config['site']['openidonly'] = true;

OpenID-only mode can still be set from addPlugin() parameters as well for backwards compatibility.
Note: if it's set there, that value will override the setting from the database or config.php.

Note that team restrictions are only really meaningful if a trusted provider is set; otherwise,
any OpenID server could report back that users are members of the given team.

Restrictions are checked only at OpenID authentication time and will not kick off people currently
with a session open; existing remembered logins may also survive these changes.

Using code for Launchpad team support provided by Canonical under AGPLv3, pulled from r27 of
WordPress teams integration plugin:
    https://code.edge.launchpad.net/~canonical-isd-hackers/wordpress-teams-integration/trunk

1 files changed, 6 insertions, 0 deletions

diff --git a/plugins/OpenID/finishaddopenid.php b/plugins/OpenID/finishaddopenid.php
index 991e6584e..df1763a52 100644
--- a/plugins/OpenID/finishaddopenid.php
+++ b/plugins/OpenID/finishaddopenid.php
@@ -103,6 +103,12 @@ class FinishaddopenidAction extends Action
                 $sreg = $sreg_resp->contents();
             }
 
+            // Launchpad teams extension
+            if (!oid_check_teams($response)) {
+                $this->message(_m('OpenID authentication aborted: you are not allowed to login to this site.'));
+                return;
+            }
+
             $cur = common_current_user();
 
             $other = oid_get_user($canonical);