Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optional user blocking when user register approval is required #88

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions composer.json
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
"php": "^7.1"
},
"require-dev": {
"behat/mink-extension": "^2.3.1",
"composer/installers": "~1.5",
"consolidation/robo": "~1.4",
"consolidation/annotated-command": "^2.8.2",
Expand Down
1 change: 1 addition & 0 deletions config/install/oe_authentication.settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ register_path: 'eim/external/register.cgi'
validation_path: 'TicketValidationService'
assurance_level: TOP
ticket_types: SERVICE,PROXY
block_on_site_admin_approval: true
5 changes: 4 additions & 1 deletion config/schema/oe_authentication.schema.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,7 @@ oe_authentication.settings:
label: 'Application assurance levels'
ticket_types:
type: string
label: 'Application available ticket types'
label: 'Application available ticket types'
block_on_site_admin_approval:
type: boolean
label: 'Block newly created users if the site requires admin approval'
17 changes: 17 additions & 0 deletions oe_authentication.post_update.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<?php

/**
* @file
* Post update functions for OE Authentication module.
*/

declare(strict_types = 1);

/**
* Add the 'block_on_site_admin_approval' module setting.
*/
function oe_authentication_post_update_user_register_redirect(): void {
\Drupal::configFactory()->getEditable('oe_authentication.settings')
->set('block_on_site_admin_approval', TRUE)
->save();
}
15 changes: 10 additions & 5 deletions src/Event/EuLoginEventSubscriber.php
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\Messenger\MessengerInterface;
use Drupal\Core\StringTranslation\StringTranslationTrait;
use Drupal\user\UserInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Drupal\oe_authentication\CasProcessor;
Expand Down Expand Up @@ -106,12 +107,16 @@ public function processUserProperties(CasPreRegisterEvent $event): void {
$attributes = $event->getCasPropertyBag()->getAttributes();
$event->setPropertyValues(CasProcessor::convertCasAttributesToFieldValues($attributes));

// If the site is configured to need administrator approval,
// change the status of the account to blocked.
// If the site is configured to require administrator approval on user
// registration and OE Authentication is configured to register new users as
// disabled users, change the status of the account to blocked.
$user_settings = $this->configFactory->get('user.settings');
if ($user_settings->get('register') === USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) {
$event->setPropertyValue('status', 0);
$this->messenger->addStatus($this->t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.'));
if ($user_settings->get('register') === UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) {
$oe_authentication_settings = $this->configFactory->get('oe_authentication.settings');
if ($oe_authentication_settings->get('block_on_site_admin_approval')) {
$event->setPropertyValue('status', 0);
$this->messenger->addStatus($this->t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.'));
}
}
}

Expand Down
9 changes: 9 additions & 0 deletions src/Form/AuthenticationSettingsForm.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

use Drupal\Core\Form\ConfigFormBase;
use Drupal\Core\Form\FormStateInterface;
use Drupal\user\UserInterface;

/**
* Settings form for module.
Expand Down Expand Up @@ -53,6 +54,13 @@ public function buildForm(array $form, FormStateInterface $form_state) {
'#title' => $this->t('Application available ticket types'),
'#default_value' => $this->config(static::CONFIG_NAME)->get('ticket_types'),
];
$form['block_on_site_admin_approval'] = [
'#type' => 'checkbox',
'#title' => $this->t('Block newly created users if the site requires admin approval'),
'#disabled' => $this->config('user.settings')->get('register') !== UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL,
'#default_value' => $this->config(static::CONFIG_NAME)->get('block_on_site_admin_approval'),
'#description' => $this->t('New users, registered after a successful EU Login, are disabled when this option is checked, if the user registration is configured to require administrators approval. This option cannot be configured and has no effect if only administrators can register users or visitors can register themselves without any approval.'),
];
return parent::buildForm($form, $form_state);
}

Expand All @@ -66,6 +74,7 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
->set('validation_path', $form_state->getValue('validation_path'))
->set('assurance_level', $form_state->getValue('assurance_level'))
->set('ticket_types', $form_state->getValue('ticket_types'))
->set('block_on_site_admin_approval', $form_state->getValue('block_on_site_admin_approval'))
->save();
parent::submitForm($form, $form_state);
}
Expand Down
53 changes: 53 additions & 0 deletions tests/Behat/AuthenticationContext.php
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,59 @@ public function setNewUsersBlocked(): void {
$this->configContext->setConfig('user.settings', 'register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
}

/**
* Asserts that a give field is disabled.
*
* @param string $field_locator
* The field locator.
*
* @throws \Exception
* If the field is enabled.
*
* @Given (the ):field (field )should be disabled
*/
public function assertFieldIsDisabled(string $field_locator): void {
if ($this->isFieldEnabled($field_locator)) {
throw new \Exception("Field '$field_locator' is enabled but should be disabled.");
}
}

/**
* Asserts that a give field is not disabled.
*
* @param string $field_locator
* The field locator.
*
* @throws \Exception
* If the field is disabled.
*
* @Given (the ):field (field )should not be disabled
*/
public function assertFieldIsNotDisabled(string $field_locator): void {
if (!$this->isFieldEnabled($field_locator)) {
throw new \Exception("Field '$field_locator' is disabled but should be enabled.");
}
}

/**
* Finds out if a given field is enabled or disabled.
*
* @param string $field_locator
* The field locator.
*
* @return bool
* TRUE if the field is enabled, FALSE otherwise.
*
* @throws \Exception
* If the field doesn't exist.
*/
protected function isFieldEnabled(string $field_locator): bool {
if (!$field = $this->getSession()->getPage()->findField($field_locator)) {
throw new \Exception("Field '$field_locator' doesn't exist.");
}
return empty($field->getAttribute('disabled'));
}

/**
* We reset the authentication mock to the state as it was.
*
Expand Down
10 changes: 10 additions & 0 deletions tests/features/configure_authentication.feature
Original file line number Diff line number Diff line change
Expand Up @@ -8,25 +8,35 @@ Feature: Authentication

@DrupalLogin @BackupAuthConfigs
Scenario: Configure Authentication settings
Given the site is configured to make users blocked on creation
When I am on "the Authentication configuration page"

Then I should see "Authentication settings"
# Check for the default config is there.
And the "Application authentication protocol" field should contain "eulogin"
And the "Application register path" field should contain "eim/external/register.cgi"
And the "Application validation path" field should contain "TicketValidationService"
And the "Application assurance levels" field should contain "TOP"
And the "Application available ticket types" field should contain "SERVICE,PROXY"
And the "Block newly created users if the site requires admin approval" field should not be disabled
And the "Block newly created users if the site requires admin approval" checkbox should be checked

# Change the configuration values.
When I fill in "Application authentication protocol" with "something"
And I fill in "Application register path" with "test/something"
And I fill in "Application validation path" with "validation/path"
And I fill in "Application assurance levels" with "assurance"
And I fill in "Application available ticket types" with "ticket.test"
And I uncheck "Block newly created users if the site requires admin approval"
And I press "Save configuration"
Then I should see the message "The configuration options have been saved."
And the "Application authentication protocol" field should contain "something"
And the "Application register path" field should contain "test/something"
And the "Application validation path" field should contain "validation/path"
And the "Application assurance levels" field should contain "assurance"
And the "Application available ticket types" field should contain "ticket.test"
And the "Block newly created users if the site requires admin approval" checkbox should be unchecked

Given the site is configured to make users active on creation
When I reload the page
Then the "Block newly created users if the site requires admin approval" field should be disabled
15 changes: 0 additions & 15 deletions tests/features/ecas-login.feature
Original file line number Diff line number Diff line change
Expand Up @@ -115,18 +115,3 @@ Feature: Login through OE Authentication
When I click "Log out"
And I press the "Log me out" button
Then I should be on the homepage

@cleanup:user
Scenario: A site that requires administration validation on users should block them by default
# When I try to log in again I will be denied access.
Given the site is configured to make users blocked on creation
When I am on the homepage
And I click "Log in"
And I click "European Commission"
And I fill in "Username or e-mail address" with "[email protected]"
And I fill in "Password" with "dragon_tattoo"
And I press the "Login!" button
Then I should be on the homepage
And I should see "Your account is blocked or has not been activated. Please contact a site administrator."
And I should see "Thank you for applying for an account. Your account is currently pending approval by the site administrator."
And I should see the link "Log in"
42 changes: 42 additions & 0 deletions tests/features/require-admin-approval.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
@api @javascript
Feature: As an on a site that requires registration admin approval, when
configuring the EU Login, I want to be able to decide whether users registered
via EU Login are active or blocked.

@cleanup:user @DrupalLogin @BackupAuthConfigs
Scenario: A site that requires administration validation on users should block
them by default

Given the site is configured to make users blocked on creation
And I am an anonymous user
When I am on the homepage
And I click "Log in"
And I click "EU Login"
And I click "European Commission"
And I fill in "Username or e-mail address" with "[email protected]"
And I fill in "Password" with "dragon_tattoo"
And I press the "Login!" button
Then I should be on the homepage
And I should see "Your account is blocked or has not been activated. Please contact a site administrator."
And I should see "Thank you for applying for an account. Your account is currently pending approval by the site administrator."
And I should see the link "Log in"
# Logout from EU Login.
And I click "Log in"
And I click "EU Login"
And I click "Logout"

Given I am logged in as a user with the "administer authentication configuration" permission
When I am on "the Authentication configuration page"
And I uncheck "Block newly created users if the site requires admin approval"
Then I press the "Save configuration" button

Given I am an anonymous user
When I am on the homepage
And I click "Log in"
And I click "EU Login"
And I click "European Commission"
And I fill in "Username or e-mail address" with "[email protected]"
And I fill in "Password" with "Qwerty098"
And I press the "Login!" button
Then I should be on the homepage
And I should see the link "Log out"