Added variable in .env to enforce certain domains in account registrations (#1589)

Allow REQUIRE_MAIL_DOMAIN to not exist in addition to it being empty

Undo changes in config/locales/de_DE.yml

changed .env variable name to GREENLIGHT_ACCOUNT_HD; allowed only comma and no whitespace as separator

Allow the admin to change email-addresses, just enforce domain on registration

Co-authored-by: Gaja Sophie Peters <gaja.peters@uni-hamburg.de>
Co-authored-by: Ahmad Farhat <ahmad.af.farhat@gmail.com>

app/models/user.rb

@@ -39,6 +39,7 @@ class User < ApplicationRecord
                    format: { without: %r{https?://}i }
   validates :provider, presence: true
   validate :check_if_email_can_be_blank
+  validate :check_domain, if: :greenlight_account?, on: :create
   validates :email, length: { maximum: 256 }, allow_blank: true,
                     uniqueness: { case_sensitive: false, scope: :provider },
                     format: { with: /\A[\w+\-'.]+@[a-z\d\-.]+\.[a-z]+\z/i }
@@ -234,6 +235,13 @@ class User < ApplicationRecord
     Role.create_default_roles(role_provider) if Role.where(provider: role_provider).count.zero?
   end
 
+  def check_domain
+    if Rails.configuration.require_email_domain.any? && !email.end_with?(*Rails.configuration.require_email_domain)
+      errors.add(:email, I18n.t("errors.messages.domain",
+        email_domain: Rails.configuration.require_email_domain.join('" ' + I18n.t("modal.login.or") + ' "')))
+    end
+  end
+
   def check_if_email_can_be_blank
     if email.blank?
       if Rails.configuration.loadbalanced_configuration && greenlight_account?

config/application.rb

@@ -94,6 +94,9 @@ module Greenlight
     # Determine if GreenLight should enable email verification
     config.enable_email_verification = parse_bool(ENV['ALLOW_MAIL_NOTIFICATIONS'])
 
+    # Determine if GreenLight should require a certain mail-domain
+    config.require_email_domain = ENV["GREENLIGHT_ACCOUNT_HD"].to_s.split(",")
+
     # Determine if GreenLight should allow non-omniauth signup/login.
     config.allow_user_signup = parse_bool(ENV['ALLOW_GREENLIGHT_ACCOUNTS'])
 

config/locales/en.yml

@@ -269,6 +269,7 @@ en:
       accepted: must be accepted
       confirmation: doesn't match %{attribute}
       inclusion: is not included in the list
+      domain: must end with "%{email_domain}"
     no_provider:
       message: The site you are trying to access is not enabled
       help: Please contact your system administrator to setup Greenlight

sample.env

@@ -105,6 +105,12 @@ LDAP_ATTRIBUTE_MAPPING=
 #
 ALLOW_GREENLIGHT_ACCOUNTS=true
 
+# "hosted domain" part of the Email-Address required for signup for a greenlight account
+#    domain.com matches also mail.domain.com
+#    @domain.com does NOT match @mail.domain.com
+#    multiple domains can be separated by comma (with no whitespace!)
+#GREENLIGHT_ACCOUNT_HD=@domain.com,subdomain-allowed.net
+
 # To enable reCaptcha on the user sign up, define these 2 keys
 # You can obtain these keys by registering your domain using the following url:
 #