Add a keepSsoRegistrationEnabled admin setting - Closes #317

This commit is contained in:
Bubka 2024-03-08 15:05:49 +01:00
parent 1a26c75325
commit e6d201d882
5 changed files with 43 additions and 7 deletions

View File

@ -57,7 +57,7 @@ public function callback(Request $request, string $driver)
return redirect('/error?err=sso_email_already_used');
} elseif (User::count() === 0) {
$user->promoteToAdministrator();
} elseif (Settings::get('disableRegistration')) {
} elseif (Settings::get('disableRegistration') && ! Settings::get('keepSsoRegistrationEnabled')) {
return redirect('/error?err=sso_no_register');
}
$user->password = bcrypt(Str::random());

View File

@ -75,6 +75,7 @@
'disableRegistration' => false,
'enableSso' => true,
'restrictRegistration' => false,
'keepSsoRegistrationEnabled' => false,
],
/*

View File

@ -29,6 +29,7 @@
restrictList: appSettings.restrictList,
restrictRule: appSettings.restrictRule,
disableRegistration: appSettings.disableRegistration,
keepSsoRegistrationEnabled: appSettings.keepSsoRegistrationEnabled,
enableSso: appSettings.enableSso,
})
@ -171,6 +172,8 @@
<!-- protect db -->
<FormCheckbox v-model="_settings.useEncryption" @update:model-value="val => saveSetting('useEncryption', val)" fieldName="useEncryption" label="admin.forms.use_encryption.label" help="admin.forms.use_encryption.help" />
<h4 class="title is-4 pt-4 has-text-grey-light">{{ $t('admin.registrations') }}</h4>
<!-- disable SSO registration -->
<FormCheckbox v-model="_settings.enableSso" @update:model-value="val => saveSetting('enableSso', val)" fieldName="enableSso" label="admin.forms.enable_sso.label" help="admin.forms.enable_sso.help" />
<!-- restrict registration -->
<FormCheckbox v-model="_settings.restrictRegistration" @update:model-value="val => saveSetting('restrictRegistration', val)" fieldName="restrictRegistration" :isDisabled="appSettings.disableRegistration" label="admin.forms.restrict_registration.label" help="admin.forms.restrict_registration.help" />
<!-- restrict list -->
@ -179,8 +182,8 @@
<FormField v-model="_settings.restrictRule" @change:model-value="val => saveOrDeleteSetting('restrictRule', val)" :fieldError="fieldErrors.restrictRule" fieldName="restrictRule" :isDisabled="!appSettings.restrictRegistration || appSettings.disableRegistration" label="admin.forms.restrict_rule.label" help="admin.forms.restrict_rule.help" :isIndented="true" leftIcon="slash" rightIcon="slash" />
<!-- disable registration -->
<FormCheckbox v-model="_settings.disableRegistration" @update:model-value="val => saveSetting('disableRegistration', val)" fieldName="disableRegistration" label="admin.forms.disable_registration.label" help="admin.forms.disable_registration.help" />
<!-- disable SSO registration -->
<FormCheckbox v-model="_settings.enableSso" @update:model-value="val => saveSetting('enableSso', val)" fieldName="enableSso" label="admin.forms.enable_sso.label" help="admin.forms.enable_sso.help" />
<!-- keep sso registration -->
<FormCheckbox v-model="_settings.keepSsoRegistrationEnabled" @change:model-value="val => saveOrDeleteSetting('keepSsoRegistrationEnabled', val)" :fieldError="fieldErrors.keepSsoRegistrationEnabled" fieldName="keepSsoRegistrationEnabled" :isDisabled="!appSettings.enableSso || !appSettings.disableRegistration" label="admin.forms.keep_sso_registration_enabled.label" help="admin.forms.keep_sso_registration_enabled.help" :isIndented="true" />
</form>
<h4 class="title is-4 pt-5 has-text-grey-light">{{ $t('commons.environment') }}</h4>

View File

@ -76,7 +76,7 @@
],
'restrict_registration' => [
'label' => 'Restrict registration',
'help' => 'Make registration only available to a limited range of email addresses. Both rules can be used simultaneously.',
'help' => 'Make registration only available to a limited range of email addresses. Both rules can be used simultaneously. This has no effect on registration via SSO.',
],
'restrict_list' => [
'label' => 'Filtering list',
@ -88,12 +88,16 @@
],
'disable_registration' => [
'label' => 'Disable registration',
'help' => 'Prevent new user registration. This affects SSO as well, so new SSO users won\'t be able to sign on',
'help' => 'Prevent new user registration. Unless overridden (see below), this affects SSO as well, so new users won\'t be able to sign in via SSO',
],
'enable_sso' => [
'label' => 'Enable Single Sign-On (SSO)',
'help' => 'Allow visitors to authenticate using an external ID via the Single Sign-On scheme',
],
'keep_sso_registration_enabled' => [
'label' => 'Keep SSO registration enabled',
'help' => 'Allow new users to sign in for the first time via SSO whereas registration is disabled',
],
'is_admin' => [
'label' => 'Is administrator',
'help' => 'Give administrator rights to the user. Administrators have permissions to manage the whole app, i.e. settings and other users, but cannot generate password for a 2FA they don\'t own.'

View File

@ -253,9 +253,10 @@ public function test_callback_returns_error_when_email_is_already_used()
/**
* @test
*/
public function test_callback_returns_error_when_registrations_are_closed()
public function test_callback_redirects_to_error_when_registrations_are_closed()
{
Settings::set('disableRegistration', true);
Settings::set('keepSsoRegistrationEnabled', false);
$newSocialiteUser = new \Laravel\Socialite\Two\User;
$newSocialiteUser->id = 'rejected_id';
@ -273,9 +274,10 @@ public function test_callback_returns_error_when_registrations_are_closed()
/**
* @test
*/
public function test_callback_skips_registration_when_registrations_are_closed()
public function test_callback_skips_registration_when_all_registrations_are_closed()
{
Settings::set('disableRegistration', true);
Settings::set('keepSsoRegistrationEnabled', false);
$newSocialiteUser = new \Laravel\Socialite\Two\User;
$newSocialiteUser->id = 'rejected_id';
@ -292,4 +294,30 @@ public function test_callback_skips_registration_when_registrations_are_closed()
'oauth_provider' => self::USER_OAUTH_PROVIDER,
]);
}
/**
* @test
*/
public function test_callback_registers_new_user_when_sso_registrations_are_enabled()
{
Settings::set('disableRegistration', true);
Settings::set('keepSsoRegistrationEnabled', true);
$newSocialiteUser = new \Laravel\Socialite\Two\User;
$newSocialiteUser->id = 'new_id';
$newSocialiteUser->name = 'jane';
$newSocialiteUser->email = 'jane@provider.com';
Socialite::shouldReceive('driver->user')
->andReturn($newSocialiteUser);
$response = $this->get('/socialite/callback/github', ['driver' => 'github']);
$this->assertDatabaseHas('users', [
'oauth_id' => 'new_id',
'oauth_provider' => self::USER_OAUTH_PROVIDER,
'email' => 'jane@provider.com',
'is_admin' => 0,
]);
}
}