-
-
Notifications
You must be signed in to change notification settings - Fork 473
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
replace org_user deactivation with removal of org_user role #4477
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -326,3 +326,10 @@ | |
# so you need to do it manually. For the users scope, it would be: | ||
# config.omniauth_path_prefix = '/my_engine/users/auth' | ||
end | ||
|
||
Warden::Manager.after_set_user do |user, auth, opts| | ||
if user.roles.empty? | ||
auth.logout | ||
throw(:warden) | ||
end | ||
end | ||
Comment on lines
+329
to
+335
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This little change deals with the situation where a user has no roles (in that case we don't let them log in). This mirrors the behavior of dealing with discarded users (that is done with a default scope on users I considered 2 other options:
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is what I came up with in terms of a data migration. I am not totally sure it make sense. But my logic was: a discarded user with the 'org_user' role is probably someone that got deactivated. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
class ReactivateUsersAndRemoveOrgUserRoles < ActiveRecord::Migration[7.1] | ||
def up | ||
users = User.unscoped.where.not(discarded_at: nil) | ||
users.each do |user| | ||
user.transaction do | ||
user.update!(discarded_at: nil) | ||
user.roles.delete_all | ||
end | ||
end | ||
end | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I checked the data, and every discarded user has an org_user role. This makes sense, because you can only discard a user from the organization user management page. So I think you're safe to not have to check the role name. In fact, you should just delete all roles that belong to current discarded users - many of them also have partner roles, but if they're discarded, they wouldn't have been able to log in. So effectively all their roles should be removed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Updated this. Since all discarded users are org users might as well simplify it further and just deal exclusively with discarded users. |
||
|
||
def down | ||
raise ActiveRecord::IrreversibleMigration | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# == Schema Information | ||
# | ||
# Table name: users_roles | ||
# | ||
# id :bigint not null, primary key | ||
# role_id :bigint | ||
# user_id :bigint | ||
# | ||
FactoryBot.define do | ||
factory :users_role do | ||
user | ||
role | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,9 +10,23 @@ | |
end | ||
end | ||
|
||
describe "User with no roles" do | ||
before do | ||
create(:user, :no_roles, email: "no_role_user@example.com") | ||
end | ||
|
||
it "should not allow the user to log in" do | ||
visit "/users/sign_in" | ||
fill_in "user_email", with: "no_role_user@example.com" | ||
fill_in "user_password", with: DEFAULT_USER_PASSWORD | ||
find('input[name="commit"]').click | ||
expect(page).to have_content("You need to sign in before continuing.") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't love this error message but I could not figure out how to change it. I tried There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not ideal, but this kind of code is super hairy. I'd timebox it and if you can't change it, I'm OK with it as is. @cielf for final decision here. |
||
end | ||
end | ||
|
||
describe "Deactivated user" do | ||
before do | ||
create(:user, :deactivated, email: "deactivated@exmaple.com") | ||
create(:user, :deactivated, email: "deactivated@example.com") | ||
end | ||
|
||
it "should not allow the user to log in" do | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I modified this method rather than using the admin roles controller because that you required the super admin role and I thought it did not makes sense to alter that logic