GRN2-6: Added the ability for admins to specify registration method (#520)

* Added the ability to invite users * Small bug fix * Added the ability to approve/decline users * Small bug fixes * More bug fixes * More minor changes * Final changes
2019-05-17 16:26:49 -04:00
parent adf4b68008
commit 720dac6012
37 changed files with 928 additions and 101 deletions
--- a/app/controllers/account_activations_controller.rb
+++ b/app/controllers/account_activations_controller.rb
@ -32,6 +32,10 @@ class AccountActivationsController < ApplicationController
    if @user && !@user.activated? && @user.authenticated?(:activation, params[:token])
      @user.activate

+      # Redirect user to root with account pending flash if account is still pending
+      return redirect_to root_path,
+        flash: { success: I18n.t("registration.approval.signup") } if @user.has_role?(:pending)
+
      flash[:success] = I18n.t("verify.activated") + " " + I18n.t("verify.signin")
      redirect_to signin_path
    else
--- a/app/controllers/admins_controller.rb
+++ b/app/controllers/admins_controller.rb
@ -18,10 +18,15 @@

 class AdminsController < ApplicationController
  include Pagy::Backend
+  include Emailer
+
+  manage_users = [:edit_user, :promote, :demote, :ban_user, :unban_user, :approve]
+  site_settings = [:branding, :coloring, :registration_method]
+
  authorize_resource class: false
-  before_action :find_user, only: [:edit_user, :promote, :demote, :ban_user, :unban_user]
-  before_action :verify_admin_of_user, only: [:edit_user, :promote, :demote, :ban_user, :unban_user]
-  before_action :find_setting, only: [:branding, :coloring]
+  before_action :find_user, only: manage_users
+  before_action :verify_admin_of_user, only: manage_users
+  before_action :find_setting, only: site_settings

  # GET /admins
  def index
@ -29,19 +34,11 @@ class AdminsController < ApplicationController
    @order_column = params[:column] && params[:direction] != "none" ? params[:column] : "created_at"
    @order_direction = params[:direction] && params[:direction] != "none" ? params[:direction] : "DESC"

-    if Rails.configuration.loadbalanced_configuration
-      @pagy, @users = pagy(User.without_role(:super_admin)
-                  .where(provider: user_settings_provider)
-                  .where.not(id: current_user.id)
-                  .admins_search(@search)
-                  .admins_order(@order_column, @order_direction))
-    else
-      @pagy, @users = pagy(User.where.not(id: current_user.id)
-                      .admins_search(@search)
-                      .admins_order(@order_column, @order_direction))
-    end
+    @pagy, @users = pagy(user_list)
  end

+  # MANAGE USERS
+
  # GET /admins/edit/:user_uid
  def edit_user
    render "admins/index", locals: { setting_id: "account" }
@ -59,6 +56,48 @@ class AdminsController < ApplicationController
    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.demoted") }
  end

+  # POST /admins/ban/:user_uid
+  def ban_user
+    @user.remove_role :pending if @user.has_role? :pending
+    @user.add_role :denied
+    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.banned") }
+  end
+
+  # POST /admins/unban/:user_uid
+  def unban_user
+    @user.remove_role :denied
+    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.unbanned") }
+  end
+
+  # POST /admins/approve/:user_uid
+  def approve
+    @user.remove_role :pending
+
+    send_user_approved_email(@user)
+
+    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.approved") }
+  end
+
+  # POST /admins/invite
+  def invite
+    email = params[:invite_user][:email]
+
+    begin
+      invitation = create_or_update_invite(email)
+
+      send_invitation_email(current_user.name, email, invitation.invite_token)
+    rescue => e
+      logger.error "Error in email delivery: #{e}"
+      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
+    else
+      flash[:success] = I18n.t("administrator.flash.invite", email: email)
+    end
+
+    redirect_to admins_path
+  end
+
+  # SITE SETTINGS
+
  # POST /admins/branding
  def branding
    @settings.update_value("Branding Image", params[:url])
@ -68,19 +107,22 @@ class AdminsController < ApplicationController
  # POST /admins/color
  def coloring
    @settings.update_value("Primary Color", params[:color])
-    redirect_to admins_path(setting: "site_settings")
+    redirect_to admins_path
  end

-  # POST /admins/ban/:user_uid
-  def ban_user
-    @user.add_role :denied
-    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.banned") }
-  end
+  # POST /admins/registration_method/:method
+  def registration_method
+    new_method = Rails.configuration.registration_methods[params[:method].to_sym]

-  # POST /admins/unban/:user_uid
-  def unban_user
-    @user.remove_role :denied
-    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.unbanned") }
+    # Only allow change to Join by Invitation if user has emails enabled
+    if !Rails.configuration.enable_email_verification && new_method == Rails.configuration.registration_methods[:invite]
+      redirect_to admins_path,
+        flash: { alert: I18n.t("administrator.flash.invite_email_verification") }
+    else
+      @settings.update_value("Registration Method", new_method)
+      redirect_to admins_path,
+        flash: { success: I18n.t("administrator.flash.registration_method_updated") }
+    end
  end

  private
@ -97,4 +139,35 @@ class AdminsController < ApplicationController
    redirect_to admins_path,
      flash: { alert: I18n.t("administrator.flash.unauthorized") } unless current_user.admin_of?(@user)
  end
+
+  # Gets the list of users based on your configuration
+  def user_list
+    if Rails.configuration.loadbalanced_configuration
+      User.without_role(:super_admin)
+          .where(provider: user_settings_provider)
+          .where.not(id: current_user.id)
+          .admins_search(@search)
+          .admins_order(@order_column, @order_direction)
+    else
+      User.where.not(id: current_user.id)
+          .admins_search(@search)
+          .admins_order(@order_column, @order_direction)
+    end
+  end
+
+  # Creates the invite if it doesn't exist, or updates the updated_at time if it does
+  def create_or_update_invite(email)
+    invite = Invitation.find_by(email: email, provider: @user_domain)
+
+    # Invite already exists
+    if invite.present?
+      # Updates updated_at to now
+      invite.touch
+    else
+      # Creates invite
+      invite = Invitation.create(email: email, provider: @user_domain)
+    end
+
+    invite
+  end
 end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -19,6 +19,7 @@
 require 'bigbluebutton_api'

 class ApplicationController < ActionController::Base
+  include ApplicationHelper
  include SessionsHelper
  include ThemingHelper

@ -26,7 +27,7 @@ class ApplicationController < ActionController::Base
  before_action :set_locale
  before_action :check_admin_password
  before_action :set_user_domain
-  before_action :check_if_unbanned
+  before_action :check_user_role

  # Force SSL for loadbalancer configurations.
  before_action :redirect_to_https
@ -84,7 +85,7 @@ class ApplicationController < ActionController::Base
  helper_method :recording_thumbnails?

  def allow_greenlight_users?
-    Rails.configuration.greenlight_accounts
+    allow_greenlight_accounts?
  end
  helper_method :allow_greenlight_users?

@ -136,11 +137,14 @@ class ApplicationController < ActionController::Base
  helper_method :set_user_domain

  # Checks if the user is banned and logs him out if he is
-  def check_if_unbanned
-    if current_user&.has_role?(:denied)
+  def check_user_role
+    if current_user&.has_role? :denied
      session.delete(:user_id)
-      redirect_to unauthorized_path
+      redirect_to root_path, flash: { alert: I18n.t("registration.banned.fail") }
+    elsif current_user&.has_role? :pending
+      session.delete(:user_id)
+      redirect_to root_path, flash: { alert: I18n.t("registration.approval.fail") }
    end
  end
-  helper_method :check_if_unbanned
+  helper_method :check_user_role
 end
--- a/app/controllers/concerns/emailer.rb
+++ b/app/controllers/concerns/emailer.rb
@ -31,12 +31,32 @@ module Emailer
    UserMailer.password_reset(@user, reset_link, logo_image, user_color).deliver_now
  end

+  # Sends inivitation to join
+  def send_invitation_email(name, email, token)
+    @token = token
+    UserMailer.invite_email(name, email, invitation_link, logo_image, user_color).deliver_now
+  end
+
+  def send_user_approved_email(user)
+    UserMailer.approve_user(user, root_url, logo_image, user_color).deliver_now
+  end
+
+  private
+
  # Returns the link the user needs to click to verify their account
  def user_verification_link
-    request.base_url + edit_account_activation_path(token: @user.activation_token, email: @user.email)
+    edit_account_activation_url(token: @user.activation_token, email: @user.email)
  end

  def reset_link
-    request.base_url + edit_password_reset_path(@user.reset_token, email: @user.email)
+    edit_password_reset_url(@user.reset_token, email: @user.email)
+  end
+
+  def invitation_link
+    if allow_greenlight_users?
+      signup_url(invite_token: @token)
+    else
+      root_url(invite_token: @token)
+    end
  end
 end
--- a/app/controllers/concerns/registrar.rb
+++ b/app/controllers/concerns/registrar.rb
@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+
+module Registrar
+  extend ActiveSupport::Concern
+
+  def registration_method
+    Setting.find_or_create_by!(provider: user_settings_provider).get_value("Registration Method")
+  end
+
+  def open_registration
+     registration_method == Rails.configuration.registration_methods[:open]
+  end
+
+  def approval_registration
+     registration_method == Rails.configuration.registration_methods[:approval]
+  end
+
+  def invite_registration
+     registration_method == Rails.configuration.registration_methods[:invite]
+  end
+
+  # Returns a hash containing whether the user has been invited and if they
+  # signed up with the same email that they were invited with
+  def check_user_invited(email, token, domain)
+    return { present: true, verified: false } unless invite_registration
+    return { present: false, verified: false } if token.nil?
+
+    invite = Invitation.valid.find_by(invite_token: token, provider: domain)
+    if invite.present?
+      # Check if they used the same email to sign up
+      same_email = email.casecmp(invite.email).zero?
+      invite.destroy
+      { present: true, verified: same_email }
+    else
+      { present: false, verified: false }
+    end
+  end
+end
--- a/app/controllers/main_controller.rb
+++ b/app/controllers/main_controller.rb
@ -17,7 +17,10 @@
 # with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.

 class MainController < ApplicationController
+  include Registrar
  # GET /
  def index
+    # Store invite token
+    session[:invite_token] = params[:invite_token] if params[:invite_token] && invite_registration
  end
 end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -17,6 +17,8 @@
 # with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.

 class SessionsController < ApplicationController
+  include Registrar
+
  skip_before_action :verify_authenticity_token, only: [:omniauth, :fail]

  # GET /users/logout
@ -32,11 +34,11 @@ class SessionsController < ApplicationController
      user = admin
    else
      user = User.find_by(email: session_params[:email], provider: @user_domain)
-      redirect_to(root_path, alert: I18n.t("invalid_user")) && return unless user
+      redirect_to(signin_path, alert: I18n.t("invalid_user")) && return unless user
      redirect_to(root_path, alert: I18n.t("invalid_login_method")) && return unless user.greenlight_account?
      redirect_to(account_activation_path(email: user.email)) && return unless user.activated?
    end
-    redirect_to(root_path, alert: I18n.t("invalid_credentials")) && return unless user.try(:authenticate,
+    redirect_to(signin_path, alert: I18n.t("invalid_credentials")) && return unless user.try(:authenticate,
      session_params[:password])

    login(user)
@ -44,11 +46,26 @@ class SessionsController < ApplicationController

  # GET/POST /auth/:provider/callback
  def omniauth
-    user = User.from_omniauth(request.env['omniauth.auth'])
-    login(user)
-  rescue => e
-    logger.error "Error authenticating via omniauth: #{e}"
-    omniauth_fail
+    begin
+      @auth = request.env['omniauth.auth']
+      @user_exists = check_user_exists
+
+      # If using invitation registration method, make sure user is invited
+      return redirect_to root_path, flash: { alert: I18n.t("registration.invite.no_invite") } unless passes_invite_reqs
+
+      user = User.from_omniauth(@auth)
+
+      # Add pending role if approval method and is a new user
+      if approval_registration && !@user_exists
+        user.add_role :pending
+        return redirect_to root_path, flash: { success: I18n.t("registration.approval.signup") }
+      end
+
+      login(user)
+    rescue => e
+        logger.error "Error authenticating via omniauth: #{e}"
+        omniauth_fail
+    end
  end

  # POST /auth/failure
@ -61,4 +78,17 @@ class SessionsController < ApplicationController
  def session_params
    params.require(:session).permit(:email, :password)
  end
+
+  def check_user_exists
+    provider = @auth['provider'] == "bn_launcher" ? @auth['info']['customer'] : @auth['provider']
+    User.exists?(social_uid: @auth['uid'], provider: provider)
+  end
+
+  # Check if the user already exists, if not then check for invitation
+  def passes_invite_reqs
+    return true if @user_exists
+
+    invitation = check_user_invited("", session[:invite_token], @user_domain)
+    invitation[:present]
+  end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -20,6 +20,7 @@ class UsersController < ApplicationController
  include RecordingsHelper
  include Pagy::Backend
  include Emailer
+  include Registrar

  before_action :find_user, only: [:edit, :update, :destroy]
  before_action :ensure_unauthenticated, only: [:new, :create]
@ -32,29 +33,29 @@ class UsersController < ApplicationController
    @user = User.new(user_params)
    @user.provider = @user_domain

-    # Add validation errors to model if they exist
-    valid_user = @user.valid?
-    valid_captcha = Rails.configuration.recaptcha_enabled ? verify_recaptcha(model: @user) : true
+    # User or recpatcha is not valid
+    render(:new) && return unless valid_user_or_captcha

-    if valid_user && valid_captcha
-      @user.save
-    else
-      render(:new) && return
+    # Redirect to root if user token is either invalid or expired
+    return redirect_to root_path, flash: { alert: I18n.t("registration.invite.fail") } unless passes_invite_reqs
+
+    # User has passed all validations required
+    @user.save
+
+    # Set user to pending and redirect if Approval Registration is set
+    if approval_registration
+      @user.add_role :pending
+
+      return redirect_to root_path,
+        flash: { success: I18n.t("registration.approval.signup") } unless Rails.configuration.enable_email_verification
    end

-    # Sign in automatically if email verification is disabled.
-    login(@user) && return unless Rails.configuration.enable_email_verification
+    # Sign in automatically if email verification is disabled or if user is already verified.
+    login(@user) && return if !Rails.configuration.enable_email_verification || @user.email_verified

-    # Start email verification and redirect to root.
-    begin
-      send_activation_email(@user)
-    rescue => e
-      logger.error "Error in email delivery: #{e}"
-      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
-    else
-      flash[:success] = I18n.t("email_sent", email_type: t("verify.verification"))
-    end
-    redirect_to(root_path)
+    send_verification
+
+    redirect_to root_path
  end

  # GET /signin
@ -63,11 +64,16 @@ class UsersController < ApplicationController

  # GET /signup
  def new
-    if Rails.configuration.allow_user_signup
-      @user = User.new
-    else
-      redirect_to root_path
+    return redirect_to root_path unless Rails.configuration.allow_user_signup
+
+    # Check if the user needs to be invited
+    if invite_registration
+      redirect_to root_path, flash: { alert: I18n.t("registration.invite.no_invite") } unless params[:invite_token]
+
+      session[:invite_token] = params[:invite_token]
    end
+
+    @user = User.new
  end

  # GET /u/:user_uid/edit
@ -174,4 +180,34 @@ class UsersController < ApplicationController
    params.require(:user).permit(:name, :email, :image, :password, :password_confirmation,
      :new_password, :provider, :accepted_terms, :language)
  end
+
+  def send_verification
+    # Start email verification and redirect to root.
+    begin
+      send_activation_email(@user)
+    rescue => e
+      logger.error "Error in email delivery: #{e}"
+      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
+    else
+      flash[:success] = I18n.t("email_sent", email_type: t("verify.verification"))
+    end
+  end
+
+  # Add validation errors to model if they exist
+  def valid_user_or_captcha
+    valid_user = @user.valid?
+    valid_captcha = Rails.configuration.recaptcha_enabled ? verify_recaptcha(model: @user) : true
+
+    valid_user && valid_captcha
+  end
+
+  # Checks if the user passes the requirements to be invited
+  def passes_invite_reqs
+    # check if user needs to be invited and IS invited
+    invitation = check_user_invited(@user.email, session[:invite_token], @user_domain)
+
+    @user.email_verified = true if invitation[:verified]
+
+    invitation[:present]
+  end
 end