FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978)
The 'Discourse SSO' protocol is being rebranded to DiscourseConnect. This should help to reduce confusion when 'SSO' is used in the generic sense. This commit aims to: - Rename `sso_` site settings. DiscourseConnect specific ones are prefixed `discourse_connect_`. Generic settings are prefixed `auth_` - Add (server-side-only) backwards compatibility for the old setting names, with deprecation notices - Copy `site_settings` database records to the new names - Rename relevant translation keys - Update relevant translations This commit does **not** aim to: - Rename any Ruby classes or methods. This might be done in a future commit - Change any URLs. This would break existing integrations - Make any changes to the protocol. This would break existing integrations - Change any functionality. Further normalization across DiscourseConnect and other auth methods will be done separately The risks are: - There is no backwards compatibility for site settings on the client-side. Accessing auth-related site settings in Javascript is fairly rare, and an error on the client side would not be security-critical. - If a plugin is monkey-patching parts of the auth process, changes to locale keys could cause broken error messages. This should also be unlikely. The old site setting names remain functional, so security-related overrides will remain working. A follow-up commit will be made with a post-deploy migration to delete the old `site_settings` rows.
This commit is contained in:
parent
205db66864
commit
821bb1e8cb
|
@ -590,7 +590,7 @@ export default Controller.extend(CanCheckEmails, {
|
||||||
|
|
||||||
deleteSSORecord() {
|
deleteSSORecord() {
|
||||||
return bootbox.confirm(
|
return bootbox.confirm(
|
||||||
I18n.t("admin.user.sso.confirm_delete"),
|
I18n.t("admin.user.discourse_connect.confirm_delete"),
|
||||||
I18n.t("no_value"),
|
I18n.t("no_value"),
|
||||||
I18n.t("yes_value"),
|
I18n.t("yes_value"),
|
||||||
(confirmed) => {
|
(confirmed) => {
|
||||||
|
|
|
@ -70,8 +70,8 @@
|
||||||
{{/if}}
|
{{/if}}
|
||||||
</div>
|
</div>
|
||||||
<div class="controls">
|
<div class="controls">
|
||||||
{{#if siteSettings.sso_overrides_email}}
|
{{#if siteSettings.auth_overrides_email}}
|
||||||
{{i18n "user.email.sso_override_instructions"}}
|
{{i18n "user.email.auth_override_instructions"}}
|
||||||
{{else if model.email}}
|
{{else if model.email}}
|
||||||
{{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}}
|
{{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}}
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
@ -105,8 +105,8 @@
|
||||||
<div class="controls">
|
<div class="controls">
|
||||||
{{#if model.email}}
|
{{#if model.email}}
|
||||||
{{#if model.secondary_emails}}
|
{{#if model.secondary_emails}}
|
||||||
{{#if siteSettings.sso_overrides_email}}
|
{{#if siteSettings.auth_overrides_email}}
|
||||||
{{i18n "user.email.sso_override_instructions"}}
|
{{i18n "user.email.auth_override_instructions"}}
|
||||||
{{else}}
|
{{else}}
|
||||||
{{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}}
|
{{html-safe (i18n "admin.user.visit_profile" url=preferencesPath)}}
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
@ -646,11 +646,11 @@
|
||||||
|
|
||||||
{{#if model.single_sign_on_record}}
|
{{#if model.single_sign_on_record}}
|
||||||
<section class="details">
|
<section class="details">
|
||||||
<h1>{{i18n "admin.user.sso.title"}}</h1>
|
<h1>{{i18n "admin.user.discourse_connect.title"}}</h1>
|
||||||
|
|
||||||
{{#with model.single_sign_on_record as |sso|}}
|
{{#with model.single_sign_on_record as |sso|}}
|
||||||
<div class="display-row">
|
<div class="display-row">
|
||||||
<div class="field">{{i18n "admin.user.sso.external_id"}}</div>
|
<div class="field">{{i18n "admin.user.discourse_connect.external_id"}}</div>
|
||||||
<div class="value">{{sso.external_id}}</div>
|
<div class="value">{{sso.external_id}}</div>
|
||||||
{{#if model.can_delete_sso_record}}
|
{{#if model.can_delete_sso_record}}
|
||||||
<div class="controls">
|
<div class="controls">
|
||||||
|
@ -658,22 +658,22 @@
|
||||||
class="btn-danger"
|
class="btn-danger"
|
||||||
action=(action "deleteSSORecord")
|
action=(action "deleteSSORecord")
|
||||||
icon="far-trash-alt"
|
icon="far-trash-alt"
|
||||||
label="admin.user.sso.delete_sso_record"
|
label="admin.user.discourse_connect.delete_sso_record"
|
||||||
}}
|
}}
|
||||||
</div>
|
</div>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
</div>
|
</div>
|
||||||
<div class="display-row">
|
<div class="display-row">
|
||||||
<div class="field">{{i18n "admin.user.sso.external_username"}}</div>
|
<div class="field">{{i18n "admin.user.discourse_connect.external_username"}}</div>
|
||||||
<div class="value">{{sso.external_username}}</div>
|
<div class="value">{{sso.external_username}}</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="display-row">
|
<div class="display-row">
|
||||||
<div class="field">{{i18n "admin.user.sso.external_name"}}</div>
|
<div class="field">{{i18n "admin.user.discourse_connect.external_name"}}</div>
|
||||||
<div class="value">{{sso.external_name}}</div>
|
<div class="value">{{sso.external_name}}</div>
|
||||||
</div>
|
</div>
|
||||||
{{#if canAdminCheckEmails}}
|
{{#if canAdminCheckEmails}}
|
||||||
<div class="display-row">
|
<div class="display-row">
|
||||||
<div class="field">{{i18n "admin.user.sso.external_email"}}</div>
|
<div class="field">{{i18n "admin.user.discourse_connect.external_email"}}</div>
|
||||||
{{#if ssoExternalEmail}}
|
{{#if ssoExternalEmail}}
|
||||||
<div class="value">{{ssoExternalEmail}}</div>
|
<div class="value">{{ssoExternalEmail}}</div>
|
||||||
{{else}}
|
{{else}}
|
||||||
|
@ -687,12 +687,12 @@
|
||||||
</div>
|
</div>
|
||||||
{{/if}}
|
{{/if}}
|
||||||
<div class="display-row">
|
<div class="display-row">
|
||||||
<div class="field">{{i18n "admin.user.sso.external_avatar_url"}}</div>
|
<div class="field">{{i18n "admin.user.discourse_connect.external_avatar_url"}}</div>
|
||||||
<div class="value">{{sso.external_avatar_url}}</div>
|
<div class="value">{{sso.external_avatar_url}}</div>
|
||||||
</div>
|
</div>
|
||||||
{{#if sso.last_payload}}
|
{{#if sso.last_payload}}
|
||||||
<div class="display-row">
|
<div class="display-row">
|
||||||
<div class="field">{{i18n "admin.user.sso.last_payload"}}</div>
|
<div class="field">{{i18n "admin.user.discourse_connect.last_payload"}}</div>
|
||||||
<div class="value">
|
<div class="value">
|
||||||
{{#each ssoPayload as |line|}}
|
{{#each ssoPayload as |line|}}
|
||||||
{{line}}<br>
|
{{line}}<br>
|
||||||
|
|
|
@ -221,7 +221,7 @@ export default Component.extend({
|
||||||
) {
|
) {
|
||||||
if (!canInviteViaEmail) {
|
if (!canInviteViaEmail) {
|
||||||
// can't invite via email, only existing users
|
// can't invite via email, only existing users
|
||||||
return I18n.t("topic.invite_reply.sso_enabled");
|
return I18n.t("topic.invite_reply.discourse_connect_enabled");
|
||||||
} else if (isPM) {
|
} else if (isPM) {
|
||||||
// inviting to a message
|
// inviting to a message
|
||||||
return I18n.t("topic.invite_private.email_or_username");
|
return I18n.t("topic.invite_private.email_or_username");
|
||||||
|
|
|
@ -13,7 +13,7 @@ export default Controller.extend({
|
||||||
return (
|
return (
|
||||||
!this.siteSettings.invite_only &&
|
!this.siteSettings.invite_only &&
|
||||||
this.siteSettings.allow_new_registrations &&
|
this.siteSettings.allow_new_registrations &&
|
||||||
!this.siteSettings.enable_sso
|
!this.siteSettings.enable_discourse_connect
|
||||||
);
|
);
|
||||||
},
|
},
|
||||||
|
|
||||||
|
|
|
@ -392,7 +392,7 @@ export default Controller.extend(ModalFunctionality, {
|
||||||
}
|
}
|
||||||
|
|
||||||
const skipConfirmation =
|
const skipConfirmation =
|
||||||
options && this.siteSettings.external_auth_skip_create_confirm;
|
options && this.siteSettings.auth_skip_create_confirm;
|
||||||
|
|
||||||
const createAccountController = this.createAccount;
|
const createAccountController = this.createAccount;
|
||||||
createAccountController.setProperties({
|
createAccountController.setProperties({
|
||||||
|
|
|
@ -71,7 +71,8 @@ export default Controller.extend(CanCheckEmails, {
|
||||||
return false;
|
return false;
|
||||||
} else {
|
} else {
|
||||||
return (
|
return (
|
||||||
!this.siteSettings.enable_sso && this.siteSettings.enable_local_logins
|
!this.siteSettings.enable_discourse_connect &&
|
||||||
|
this.siteSettings.enable_local_logins
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -755,7 +755,7 @@ const User = RestModel.extend({
|
||||||
|
|
||||||
@discourseComputed("can_delete_account")
|
@discourseComputed("can_delete_account")
|
||||||
canDeleteAccount(canDeleteAccount) {
|
canDeleteAccount(canDeleteAccount) {
|
||||||
return !this.siteSettings.enable_sso && canDeleteAccount;
|
return !this.siteSettings.enable_discourse_connect && canDeleteAccount;
|
||||||
},
|
},
|
||||||
|
|
||||||
delete: function () {
|
delete: function () {
|
||||||
|
|
|
@ -243,7 +243,7 @@ const ApplicationRoute = DiscourseRoute.extend(OpenComposer, {
|
||||||
},
|
},
|
||||||
|
|
||||||
handleShowLogin() {
|
handleShowLogin() {
|
||||||
if (this.siteSettings.enable_sso) {
|
if (this.siteSettings.enable_discourse_connect) {
|
||||||
const returnPath = encodeURIComponent(window.location.pathname);
|
const returnPath = encodeURIComponent(window.location.pathname);
|
||||||
window.location = getURL("/session/sso?return_path=" + returnPath);
|
window.location = getURL("/session/sso?return_path=" + returnPath);
|
||||||
} else {
|
} else {
|
||||||
|
@ -254,7 +254,7 @@ const ApplicationRoute = DiscourseRoute.extend(OpenComposer, {
|
||||||
},
|
},
|
||||||
|
|
||||||
handleShowCreateAccount() {
|
handleShowCreateAccount() {
|
||||||
if (this.siteSettings.enable_sso) {
|
if (this.siteSettings.enable_discourse_connect) {
|
||||||
const returnPath = encodeURIComponent(window.location.pathname);
|
const returnPath = encodeURIComponent(window.location.pathname);
|
||||||
window.location = getURL("/session/sso?return_path=" + returnPath);
|
window.location = getURL("/session/sso?return_path=" + returnPath);
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
{{/if}}
|
{{/if}}
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
{{#unless siteSettings.sso_overrides_avatar}}
|
{{#unless siteSettings.discourse_connect_overrides_avatar}}
|
||||||
<div class="control-group pref-avatar">
|
<div class="control-group pref-avatar">
|
||||||
<label class="control-label" id="profile-picture">{{i18n "user.avatar.title"}}</label>
|
<label class="control-label" id="profile-picture">{{i18n "user.avatar.title"}}</label>
|
||||||
<div class="controls">
|
<div class="controls">
|
||||||
|
@ -94,8 +94,8 @@
|
||||||
{{/if}}
|
{{/if}}
|
||||||
|
|
||||||
<div class="instructions">
|
<div class="instructions">
|
||||||
{{#if siteSettings.sso_overrides_email}}
|
{{#if siteSettings.auth_overrides_email}}
|
||||||
{{i18n "user.email.sso_override_instructions"}}
|
{{i18n "user.email.auth_override_instructions"}}
|
||||||
{{/if}}
|
{{/if}}
|
||||||
{{i18n "user.email.instructions"}}
|
{{i18n "user.email.instructions"}}
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -32,7 +32,7 @@ acceptance("Create Account - external auth", function (needs) {
|
||||||
});
|
});
|
||||||
|
|
||||||
test("when skip is enabled", async function (assert) {
|
test("when skip is enabled", async function (assert) {
|
||||||
this.siteSettings.external_auth_skip_create_confirm = true;
|
this.siteSettings.auth_skip_create_confirm = true;
|
||||||
await visit("/");
|
await visit("/");
|
||||||
|
|
||||||
assert.ok(
|
assert.ok(
|
||||||
|
|
|
@ -29,7 +29,7 @@ const ORIGINAL_SETTINGS = {
|
||||||
enable_twitter_logins: true,
|
enable_twitter_logins: true,
|
||||||
enable_facebook_logins: true,
|
enable_facebook_logins: true,
|
||||||
enable_github_logins: true,
|
enable_github_logins: true,
|
||||||
enable_sso: false,
|
enable_discourse_connect: false,
|
||||||
min_username_length: 3,
|
min_username_length: 3,
|
||||||
max_username_length: 20,
|
max_username_length: 20,
|
||||||
min_password_length: 8,
|
min_password_length: 8,
|
||||||
|
|
|
@ -439,12 +439,12 @@ class Admin::UsersController < Admin::AdminController
|
||||||
end
|
end
|
||||||
|
|
||||||
def sync_sso
|
def sync_sso
|
||||||
return render body: nil, status: 404 unless SiteSetting.enable_sso
|
return render body: nil, status: 404 unless SiteSetting.enable_discourse_connect
|
||||||
|
|
||||||
begin
|
begin
|
||||||
sso = DiscourseSingleSignOn.parse("sso=#{params[:sso]}&sig=#{params[:sig]}")
|
sso = DiscourseSingleSignOn.parse("sso=#{params[:sso]}&sig=#{params[:sig]}")
|
||||||
rescue DiscourseSingleSignOn::ParseError => e
|
rescue DiscourseSingleSignOn::ParseError => e
|
||||||
return render json: failed_json.merge(message: I18n.t("sso.login_error")), status: 422
|
return render json: failed_json.merge(message: I18n.t("discourse_connect.login_error")), status: 422
|
||||||
end
|
end
|
||||||
|
|
||||||
begin
|
begin
|
||||||
|
@ -453,7 +453,7 @@ class Admin::UsersController < Admin::AdminController
|
||||||
rescue ActiveRecord::RecordInvalid => ex
|
rescue ActiveRecord::RecordInvalid => ex
|
||||||
render json: failed_json.merge(message: ex.message), status: 403
|
render json: failed_json.merge(message: ex.message), status: 403
|
||||||
rescue DiscourseSingleSignOn::BlankExternalId => ex
|
rescue DiscourseSingleSignOn::BlankExternalId => ex
|
||||||
render json: failed_json.merge(message: I18n.t('sso.blank_id_error')), status: 422
|
render json: failed_json.merge(message: I18n.t('discourse_connect.blank_id_error')), status: 422
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -739,11 +739,11 @@ class ApplicationController < ActionController::Base
|
||||||
def redirect_to_login
|
def redirect_to_login
|
||||||
dont_cache_page
|
dont_cache_page
|
||||||
|
|
||||||
if SiteSetting.external_auth_immediately && SiteSetting.enable_sso?
|
if SiteSetting.auth_immediately && SiteSetting.enable_discourse_connect?
|
||||||
# save original URL in a session so we can redirect after login
|
# save original URL in a session so we can redirect after login
|
||||||
session[:destination_url] = destination_url
|
session[:destination_url] = destination_url
|
||||||
redirect_to path('/session/sso')
|
redirect_to path('/session/sso')
|
||||||
elsif SiteSetting.external_auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data]
|
elsif SiteSetting.auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data]
|
||||||
# Only one authentication provider, direct straight to it.
|
# Only one authentication provider, direct straight to it.
|
||||||
# If authentication_data is present, then we are halfway though registration. Don't redirect offsite
|
# If authentication_data is present, then we are halfway though registration. Don't redirect offsite
|
||||||
cookies[:destination_url] = destination_url
|
cookies[:destination_url] = destination_url
|
||||||
|
|
|
@ -338,7 +338,7 @@ class GroupsController < ApplicationController
|
||||||
|
|
||||||
if emails.any?
|
if emails.any?
|
||||||
if SiteSetting.enable_sso?
|
if SiteSetting.enable_sso?
|
||||||
raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_sso"))
|
raise Discourse::InvalidParameters.new(I18n.t("no_invites_with_discourse_connect"))
|
||||||
elsif !SiteSetting.enable_local_logins?
|
elsif !SiteSetting.enable_local_logins?
|
||||||
raise Discourse::InvalidParameters.new(I18n.t("no_invites_without_local_logins"))
|
raise Discourse::InvalidParameters.new(I18n.t("no_invites_without_local_logins"))
|
||||||
end
|
end
|
||||||
|
|
|
@ -268,7 +268,7 @@ class InvitesController < ApplicationController
|
||||||
|
|
||||||
if user.has_password?
|
if user.has_password?
|
||||||
send_activation_email(user) unless user.active
|
send_activation_email(user) unless user.active
|
||||||
elsif !SiteSetting.enable_sso && SiteSetting.enable_local_logins
|
elsif !SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins
|
||||||
Jobs.enqueue(:invite_password_instructions_email, username: user.username)
|
Jobs.enqueue(:invite_password_instructions_email, username: user.username)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -24,19 +24,19 @@ class SessionController < ApplicationController
|
||||||
session.delete(:destination_url)
|
session.delete(:destination_url)
|
||||||
cookies.delete(:destination_url)
|
cookies.delete(:destination_url)
|
||||||
|
|
||||||
if SiteSetting.enable_sso?
|
if SiteSetting.enable_discourse_connect?
|
||||||
sso = DiscourseSingleSignOn.generate_sso(return_path)
|
sso = DiscourseSingleSignOn.generate_sso(return_path)
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn("Verbose SSO log: Started SSO process\n\n#{sso.diagnostics}")
|
Rails.logger.warn("Verbose SSO log: Started SSO process\n\n#{sso.diagnostics}")
|
||||||
end
|
end
|
||||||
redirect_to sso_url(sso)
|
redirect_to discourse_connect_url(sso)
|
||||||
else
|
else
|
||||||
render body: nil, status: 404
|
render body: nil, status: 404
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def sso_provider(payload = nil)
|
def sso_provider(payload = nil)
|
||||||
if SiteSetting.enable_sso_provider
|
if SiteSetting.enable_discourse_connect_provider
|
||||||
begin
|
begin
|
||||||
if !payload
|
if !payload
|
||||||
params.require(:sso)
|
params.require(:sso)
|
||||||
|
@ -44,15 +44,15 @@ class SessionController < ApplicationController
|
||||||
end
|
end
|
||||||
sso = SingleSignOnProvider.parse(payload)
|
sso = SingleSignOnProvider.parse(payload)
|
||||||
rescue SingleSignOnProvider::BlankSecret
|
rescue SingleSignOnProvider::BlankSecret
|
||||||
render plain: I18n.t("sso.missing_secret"), status: 400
|
render plain: I18n.t("discourse_connect.missing_secret"), status: 400
|
||||||
return
|
return
|
||||||
rescue SingleSignOnProvider::ParseError => e
|
rescue SingleSignOnProvider::ParseError => e
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
|
Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
|
||||||
end
|
end
|
||||||
|
|
||||||
# Do NOT pass the error text to the client, it would give them the correct signature
|
# Do NOT pass the error text to the client, it would give them the correct signature
|
||||||
render plain: I18n.t("sso.login_error"), status: 422
|
render plain: I18n.t("discourse_connect.login_error"), status: 422
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -138,7 +138,7 @@ class SessionController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def sso_login
|
def sso_login
|
||||||
raise Discourse::NotFound.new unless SiteSetting.enable_sso
|
raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect
|
||||||
|
|
||||||
params.require(:sso)
|
params.require(:sso)
|
||||||
params.require(:sig)
|
params.require(:sig)
|
||||||
|
@ -146,26 +146,26 @@ class SessionController < ApplicationController
|
||||||
begin
|
begin
|
||||||
sso = DiscourseSingleSignOn.parse(request.query_string)
|
sso = DiscourseSingleSignOn.parse(request.query_string)
|
||||||
rescue DiscourseSingleSignOn::ParseError => e
|
rescue DiscourseSingleSignOn::ParseError => e
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
|
Rails.logger.warn("Verbose SSO log: Signature parse error\n\n#{e.message}\n\n#{sso&.diagnostics}")
|
||||||
end
|
end
|
||||||
|
|
||||||
# Do NOT pass the error text to the client, it would give them the correct signature
|
# Do NOT pass the error text to the client, it would give them the correct signature
|
||||||
return render_sso_error(text: I18n.t("sso.login_error"), status: 422)
|
return render_sso_error(text: I18n.t("discourse_connect.login_error"), status: 422)
|
||||||
end
|
end
|
||||||
|
|
||||||
if !sso.nonce_valid?
|
if !sso.nonce_valid?
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn("Verbose SSO log: Nonce has already expired\n\n#{sso.diagnostics}")
|
Rails.logger.warn("Verbose SSO log: Nonce has already expired\n\n#{sso.diagnostics}")
|
||||||
end
|
end
|
||||||
return render_sso_error(text: I18n.t("sso.timeout_expired"), status: 419)
|
return render_sso_error(text: I18n.t("discourse_connect.timeout_expired"), status: 419)
|
||||||
end
|
end
|
||||||
|
|
||||||
if ScreenedIpAddress.should_block?(request.remote_ip)
|
if ScreenedIpAddress.should_block?(request.remote_ip)
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn("Verbose SSO log: IP address is blocked #{request.remote_ip}\n\n#{sso.diagnostics}")
|
Rails.logger.warn("Verbose SSO log: IP address is blocked #{request.remote_ip}\n\n#{sso.diagnostics}")
|
||||||
end
|
end
|
||||||
return render_sso_error(text: I18n.t("sso.unknown_error"), status: 500)
|
return render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500)
|
||||||
end
|
end
|
||||||
|
|
||||||
return_path = sso.return_path
|
return_path = sso.return_path
|
||||||
|
@ -180,10 +180,10 @@ class SessionController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
if SiteSetting.must_approve_users? && !user.approved?
|
if SiteSetting.must_approve_users? && !user.approved?
|
||||||
if SiteSetting.sso_not_approved_url.present?
|
if SiteSetting.discourse_connect_not_approved_url.present?
|
||||||
redirect_to SiteSetting.sso_not_approved_url
|
redirect_to SiteSetting.discourse_connect_not_approved_url
|
||||||
else
|
else
|
||||||
render_sso_error(text: I18n.t("sso.account_not_approved"), status: 403)
|
render_sso_error(text: I18n.t("discourse_connect.account_not_approved"), status: 403)
|
||||||
end
|
end
|
||||||
return
|
return
|
||||||
elsif !user.active?
|
elsif !user.active?
|
||||||
|
@ -192,7 +192,7 @@ class SessionController < ApplicationController
|
||||||
session["user_created_message"] = activation.message
|
session["user_created_message"] = activation.message
|
||||||
redirect_to(users_account_created_path) && (return)
|
redirect_to(users_account_created_path) && (return)
|
||||||
else
|
else
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}")
|
Rails.logger.warn("Verbose SSO log: User was logged on #{user.username}\n\n#{sso.diagnostics}")
|
||||||
end
|
end
|
||||||
if user.id != current_user&.id
|
if user.id != current_user&.id
|
||||||
|
@ -206,7 +206,7 @@ class SessionController < ApplicationController
|
||||||
uri = URI(return_path)
|
uri = URI(return_path)
|
||||||
if (uri.hostname == Discourse.current_hostname)
|
if (uri.hostname == Discourse.current_hostname)
|
||||||
return_path = uri.to_s
|
return_path = uri.to_s
|
||||||
elsif !SiteSetting.sso_allows_all_return_paths
|
elsif !SiteSetting.discourse_connect_allows_all_return_paths
|
||||||
return_path = path("/")
|
return_path = path("/")
|
||||||
end
|
end
|
||||||
rescue
|
rescue
|
||||||
|
@ -223,11 +223,11 @@ class SessionController < ApplicationController
|
||||||
|
|
||||||
redirect_to return_path
|
redirect_to return_path
|
||||||
else
|
else
|
||||||
render_sso_error(text: I18n.t("sso.not_found"), status: 500)
|
render_sso_error(text: I18n.t("discourse_connect.not_found"), status: 500)
|
||||||
end
|
end
|
||||||
rescue ActiveRecord::RecordInvalid => e
|
rescue ActiveRecord::RecordInvalid => e
|
||||||
|
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn(<<~EOF)
|
Rails.logger.warn(<<~EOF)
|
||||||
Verbose SSO log: Record was invalid: #{e.record.class.name} #{e.record.id}
|
Verbose SSO log: Record was invalid: #{e.record.class.name} #{e.record.id}
|
||||||
#{e.record.errors.to_h}
|
#{e.record.errors.to_h}
|
||||||
|
@ -245,17 +245,17 @@ class SessionController < ApplicationController
|
||||||
# If there's a problem with the email we can explain that
|
# If there's a problem with the email we can explain that
|
||||||
if (e.record.is_a?(User) && e.record.errors[:primary_email].present?)
|
if (e.record.is_a?(User) && e.record.errors[:primary_email].present?)
|
||||||
if e.record.email.blank?
|
if e.record.email.blank?
|
||||||
text = I18n.t("sso.no_email")
|
text = I18n.t("discourse_connect.no_email")
|
||||||
else
|
else
|
||||||
text = I18n.t("sso.email_error", email: ERB::Util.html_escape(e.record.email))
|
text = I18n.t("discourse_connect.email_error", email: ERB::Util.html_escape(e.record.email))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
render_sso_error(text: text || I18n.t("sso.unknown_error"), status: 500)
|
render_sso_error(text: text || I18n.t("discourse_connect.unknown_error"), status: 500)
|
||||||
|
|
||||||
rescue DiscourseSingleSignOn::BlankExternalId
|
rescue DiscourseSingleSignOn::BlankExternalId
|
||||||
|
|
||||||
render_sso_error(text: I18n.t("sso.blank_id_error"), status: 500)
|
render_sso_error(text: I18n.t("discourse_connect.blank_id_error"), status: 500)
|
||||||
|
|
||||||
rescue => e
|
rescue => e
|
||||||
message = +"Failed to create or lookup user: #{e}."
|
message = +"Failed to create or lookup user: #{e}."
|
||||||
|
@ -266,7 +266,7 @@ class SessionController < ApplicationController
|
||||||
|
|
||||||
Rails.logger.error(message)
|
Rails.logger.error(message)
|
||||||
|
|
||||||
render_sso_error(text: I18n.t("sso.unknown_error"), status: 500)
|
render_sso_error(text: I18n.t("discourse_connect.unknown_error"), status: 500)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -445,7 +445,7 @@ class SessionController < ApplicationController
|
||||||
def destroy
|
def destroy
|
||||||
redirect_url = params[:return_url].presence || SiteSetting.logout_redirect.presence
|
redirect_url = params[:return_url].presence || SiteSetting.logout_redirect.presence
|
||||||
|
|
||||||
sso = SiteSetting.enable_sso
|
sso = SiteSetting.enable_discourse_connect
|
||||||
only_one_authenticator = !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1
|
only_one_authenticator = !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1
|
||||||
if SiteSetting.login_required && (sso || only_one_authenticator)
|
if SiteSetting.login_required && (sso || only_one_authenticator)
|
||||||
# In this situation visiting most URLs will start the auth process again
|
# In this situation visiting most URLs will start the auth process again
|
||||||
|
@ -498,7 +498,7 @@ class SessionController < ApplicationController
|
||||||
return if user&.admin?
|
return if user&.admin?
|
||||||
|
|
||||||
if (check_login_via_email && !SiteSetting.enable_local_logins_via_email) ||
|
if (check_login_via_email && !SiteSetting.enable_local_logins_via_email) ||
|
||||||
SiteSetting.enable_sso ||
|
SiteSetting.enable_discourse_connect ||
|
||||||
!SiteSetting.enable_local_logins
|
!SiteSetting.enable_local_logins
|
||||||
raise Discourse::InvalidAccess, "SSO takes over local login or the local login is disallowed."
|
raise Discourse::InvalidAccess, "SSO takes over local login or the local login is disallowed."
|
||||||
end
|
end
|
||||||
|
|
|
@ -19,7 +19,7 @@ class UploadsController < ApplicationController
|
||||||
# 50 characters ought to be enough for the upload type
|
# 50 characters ought to be enough for the upload type
|
||||||
type = params.require(:type).parameterize(separator: "_")[0..50]
|
type = params.require(:type).parameterize(separator: "_")[0..50]
|
||||||
|
|
||||||
if type == "avatar" && !me.admin? && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
|
if type == "avatar" && !me.admin? && (SiteSetting.discourse_connect_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
|
||||||
return render json: failed_json, status: 422
|
return render json: failed_json, status: 422
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@ class UserApiKeysController < ApplicationController
|
||||||
unless current_user
|
unless current_user
|
||||||
cookies[:destination_url] = request.fullpath
|
cookies[:destination_url] = request.fullpath
|
||||||
|
|
||||||
if SiteSetting.enable_sso?
|
if SiteSetting.enable_discourse_connect?
|
||||||
redirect_to path('/session/sso')
|
redirect_to path('/session/sso')
|
||||||
else
|
else
|
||||||
redirect_to path('/login')
|
redirect_to path('/login')
|
||||||
|
@ -115,7 +115,7 @@ class UserApiKeysController < ApplicationController
|
||||||
unless current_user
|
unless current_user
|
||||||
cookies[:destination_url] = request.fullpath
|
cookies[:destination_url] = request.fullpath
|
||||||
|
|
||||||
if SiteSetting.enable_sso?
|
if SiteSetting.enable_discourse_connect?
|
||||||
redirect_to path('/session/sso')
|
redirect_to path('/session/sso')
|
||||||
else
|
else
|
||||||
redirect_to path('/login')
|
redirect_to path('/login')
|
||||||
|
|
|
@ -40,7 +40,7 @@ class Users::OmniauthCallbacksController < ApplicationController
|
||||||
|
|
||||||
preferred_origin = request.env['omniauth.origin']
|
preferred_origin = request.env['omniauth.origin']
|
||||||
|
|
||||||
if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
|
if SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
|
||||||
preferred_origin = session_sso_provider_url + "?" + payload
|
preferred_origin = session_sso_provider_url + "?" + payload
|
||||||
elsif cookies[:destination_url].present?
|
elsif cookies[:destination_url].present?
|
||||||
preferred_origin = cookies[:destination_url]
|
preferred_origin = cookies[:destination_url]
|
||||||
|
|
|
@ -179,7 +179,7 @@ class UsersController < ApplicationController
|
||||||
end
|
end
|
||||||
rescue Discourse::InvalidAccess
|
rescue Discourse::InvalidAccess
|
||||||
if current_user&.staff?
|
if current_user&.staff?
|
||||||
render_json_error(I18n.t('errors.messages.sso_overrides_username'))
|
render_json_error(I18n.t('errors.messages.auth_overrides_username'))
|
||||||
else
|
else
|
||||||
render json: failed_json, status: 403
|
render json: failed_json, status: 403
|
||||||
end
|
end
|
||||||
|
@ -412,8 +412,8 @@ class UsersController < ApplicationController
|
||||||
))
|
))
|
||||||
else
|
else
|
||||||
if current_user&.staff?
|
if current_user&.staff?
|
||||||
message = if SiteSetting.enable_sso
|
message = if SiteSetting.enable_discourse_connect
|
||||||
I18n.t("invite.disabled_errors.sso_enabled")
|
I18n.t("invite.disabled_errors.discourse_connect_enabled")
|
||||||
elsif !SiteSetting.enable_local_logins
|
elsif !SiteSetting.enable_local_logins
|
||||||
I18n.t("invite.disabled_errors.local_logins_disabled")
|
I18n.t("invite.disabled_errors.local_logins_disabled")
|
||||||
end
|
end
|
||||||
|
@ -436,8 +436,8 @@ class UsersController < ApplicationController
|
||||||
render json: MultiJson.dump(invites: serialize_data(invites.to_a, InviteLinkSerializer), can_see_invite_details: guardian.can_see_invite_details?(inviter))
|
render json: MultiJson.dump(invites: serialize_data(invites.to_a, InviteLinkSerializer), can_see_invite_details: guardian.can_see_invite_details?(inviter))
|
||||||
else
|
else
|
||||||
if current_user&.staff?
|
if current_user&.staff?
|
||||||
message = if SiteSetting.enable_sso
|
message = if SiteSetting.enable_discourse_connect
|
||||||
I18n.t("invite.disabled_errors.sso_enabled")
|
I18n.t("invite.disabled_errors.discourse_connect_enabled")
|
||||||
elsif !SiteSetting.enable_local_logins
|
elsif !SiteSetting.enable_local_logins
|
||||||
I18n.t("invite.disabled_errors.local_logins_disabled")
|
I18n.t("invite.disabled_errors.local_logins_disabled")
|
||||||
end
|
end
|
||||||
|
@ -909,7 +909,7 @@ class UsersController < ApplicationController
|
||||||
|
|
||||||
def account_created
|
def account_created
|
||||||
if current_user.present?
|
if current_user.present?
|
||||||
if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
|
if SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
|
||||||
return redirect_to(session_sso_provider_url + "?" + payload)
|
return redirect_to(session_sso_provider_url + "?" + payload)
|
||||||
elsif destination_url = cookies.delete(:destination_url)
|
elsif destination_url = cookies.delete(:destination_url)
|
||||||
return redirect_to(destination_url)
|
return redirect_to(destination_url)
|
||||||
|
@ -958,7 +958,7 @@ class UsersController < ApplicationController
|
||||||
elsif destination_url = cookies[:destination_url]
|
elsif destination_url = cookies[:destination_url]
|
||||||
cookies[:destination_url] = nil
|
cookies[:destination_url] = nil
|
||||||
return redirect_to(destination_url)
|
return redirect_to(destination_url)
|
||||||
elsif SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
|
elsif SiteSetting.enable_discourse_connect_provider && payload = cookies.delete(:sso_payload)
|
||||||
return redirect_to(session_sso_provider_url + "?" + payload)
|
return redirect_to(session_sso_provider_url + "?" + payload)
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
|
@ -1095,7 +1095,7 @@ class UsersController < ApplicationController
|
||||||
user = fetch_user_from_params
|
user = fetch_user_from_params
|
||||||
guardian.ensure_can_edit!(user)
|
guardian.ensure_can_edit!(user)
|
||||||
|
|
||||||
if SiteSetting.sso_overrides_avatar
|
if SiteSetting.discourse_connect_overrides_avatar
|
||||||
return render json: failed_json, status: 422
|
return render json: failed_json, status: 422
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -1276,7 +1276,7 @@ class UsersController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def list_second_factors
|
def list_second_factors
|
||||||
raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
|
raise Discourse::NotFound if SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins
|
||||||
|
|
||||||
unless params[:password].empty?
|
unless params[:password].empty?
|
||||||
RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
|
RateLimiter.new(nil, "login-hr-#{request.remote_ip}", SiteSetting.max_logins_per_ip_per_hour, 1.hour).performed!
|
||||||
|
@ -1448,7 +1448,7 @@ class UsersController < ApplicationController
|
||||||
end
|
end
|
||||||
|
|
||||||
def second_factor_check_confirmed_password
|
def second_factor_check_confirmed_password
|
||||||
raise Discourse::NotFound if SiteSetting.enable_sso || !SiteSetting.enable_local_logins
|
raise Discourse::NotFound if SiteSetting.enable_discourse_connect || !SiteSetting.enable_local_logins
|
||||||
|
|
||||||
raise Discourse::InvalidAccess.new unless current_user && secure_session_confirmed?
|
raise Discourse::InvalidAccess.new unless current_user && secure_session_confirmed?
|
||||||
end
|
end
|
||||||
|
|
|
@ -548,7 +548,7 @@ module ApplicationHelper
|
||||||
def can_sign_up?
|
def can_sign_up?
|
||||||
SiteSetting.allow_new_registrations &&
|
SiteSetting.allow_new_registrations &&
|
||||||
!SiteSetting.invite_only &&
|
!SiteSetting.invite_only &&
|
||||||
!SiteSetting.enable_sso
|
!SiteSetting.enable_discourse_connect
|
||||||
end
|
end
|
||||||
|
|
||||||
def rss_creator(user)
|
def rss_creator(user)
|
||||||
|
|
|
@ -113,7 +113,7 @@ module Jobs
|
||||||
condition = { trust_level: trust_level }
|
condition = { trust_level: trust_level }
|
||||||
end
|
end
|
||||||
|
|
||||||
if SiteSetting.enable_sso
|
if SiteSetting.enable_discourse_connect
|
||||||
# SSO enabled
|
# SSO enabled
|
||||||
User.where(condition).includes(:user_profile, :user_stat, :user_emails, :single_sign_on_record, :groups).find_each do |user|
|
User.where(condition).includes(:user_profile, :user_stat, :user_emails, :single_sign_on_record, :groups).find_each do |user|
|
||||||
user_info_array = get_base_user_array(user)
|
user_info_array = get_base_user_array(user)
|
||||||
|
@ -232,7 +232,7 @@ module Jobs
|
||||||
def get_header(entity)
|
def get_header(entity)
|
||||||
if entity == 'user_list'
|
if entity == 'user_list'
|
||||||
header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile']
|
header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile']
|
||||||
header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_sso
|
header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_discourse_connect
|
||||||
user_custom_fields = UserField.all
|
user_custom_fields = UserField.all
|
||||||
if user_custom_fields.present?
|
if user_custom_fields.present?
|
||||||
user_custom_fields.each do |custom_field|
|
user_custom_fields.each do |custom_field|
|
||||||
|
|
|
@ -384,7 +384,7 @@ module Jobs
|
||||||
def get_header(entity)
|
def get_header(entity)
|
||||||
if entity == 'user_list'
|
if entity == 'user_list'
|
||||||
header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile']
|
header_array = HEADER_ATTRS_FOR['user_list'] + HEADER_ATTRS_FOR['user_stats'] + HEADER_ATTRS_FOR['user_profile']
|
||||||
header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_sso
|
header_array.concat(HEADER_ATTRS_FOR['user_sso']) if SiteSetting.enable_discourse_connect
|
||||||
user_custom_fields = UserField.all
|
user_custom_fields = UserField.all
|
||||||
if user_custom_fields.present?
|
if user_custom_fields.present?
|
||||||
user_custom_fields.each do |custom_field|
|
user_custom_fields.each do |custom_field|
|
||||||
|
|
|
@ -54,19 +54,19 @@ module SecondFactorManager
|
||||||
end
|
end
|
||||||
|
|
||||||
def totp_enabled?
|
def totp_enabled?
|
||||||
!SiteSetting.enable_sso &&
|
!SiteSetting.enable_discourse_connect &&
|
||||||
SiteSetting.enable_local_logins &&
|
SiteSetting.enable_local_logins &&
|
||||||
self&.user_second_factors.totps.exists?
|
self&.user_second_factors.totps.exists?
|
||||||
end
|
end
|
||||||
|
|
||||||
def backup_codes_enabled?
|
def backup_codes_enabled?
|
||||||
!SiteSetting.enable_sso &&
|
!SiteSetting.enable_discourse_connect &&
|
||||||
SiteSetting.enable_local_logins &&
|
SiteSetting.enable_local_logins &&
|
||||||
self&.user_second_factors.backup_codes.exists?
|
self&.user_second_factors.backup_codes.exists?
|
||||||
end
|
end
|
||||||
|
|
||||||
def security_keys_enabled?
|
def security_keys_enabled?
|
||||||
!SiteSetting.enable_sso &&
|
!SiteSetting.enable_discourse_connect &&
|
||||||
SiteSetting.enable_local_logins &&
|
SiteSetting.enable_local_logins &&
|
||||||
self&.security_keys.where(factor_type: UserSecurityKey.factor_types[:second_factor], enabled: true).exists?
|
self&.security_keys.where(factor_type: UserSecurityKey.factor_types[:second_factor], enabled: true).exists?
|
||||||
end
|
end
|
||||||
|
|
|
@ -6,11 +6,11 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
class BannedExternalId < StandardError; end
|
class BannedExternalId < StandardError; end
|
||||||
|
|
||||||
def self.sso_url
|
def self.sso_url
|
||||||
SiteSetting.sso_url
|
SiteSetting.discourse_connect_url
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.sso_secret
|
def self.sso_secret
|
||||||
SiteSetting.sso_secret
|
SiteSetting.discourse_connect_secret
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.generate_sso(return_path = "/")
|
def self.generate_sso(return_path = "/")
|
||||||
|
@ -120,7 +120,7 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
# The user might require approval
|
# The user might require approval
|
||||||
user.create_reviewable
|
user.create_reviewable
|
||||||
|
|
||||||
if bio && (user.user_profile.bio_raw.blank? || SiteSetting.sso_overrides_bio)
|
if bio && (user.user_profile.bio_raw.blank? || SiteSetting.discourse_connect_overrides_bio)
|
||||||
user.user_profile.bio_raw = bio
|
user.user_profile.bio_raw = bio
|
||||||
user.user_profile.save!
|
user.user_profile.save!
|
||||||
end
|
end
|
||||||
|
@ -170,7 +170,7 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
end
|
end
|
||||||
|
|
||||||
def apply_group_rules(user)
|
def apply_group_rules(user)
|
||||||
if SiteSetting.sso_overrides_groups
|
if SiteSetting.discourse_connect_overrides_groups
|
||||||
synchronize_groups(user)
|
synchronize_groups(user)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -219,7 +219,7 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
|
|
||||||
user = User.create!(user_params)
|
user = User.create!(user_params)
|
||||||
|
|
||||||
if SiteSetting.verbose_sso_logging
|
if SiteSetting.verbose_discourse_connect_logging
|
||||||
Rails.logger.warn("Verbose SSO log: New User (user_id: #{user.id}) Params: #{user_params} User Params: #{user.attributes} User Errors: #{user.errors.full_messages} Email: #{user.primary_email.attributes} Email Error: #{user.primary_email.errors.full_messages}")
|
Rails.logger.warn("Verbose SSO log: New User (user_id: #{user.id}) Params: #{user_params} User Params: #{user.attributes} User Errors: #{user.errors.full_messages} Email: #{user.primary_email.attributes} Email Error: #{user.primary_email.errors.full_messages}")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -233,7 +233,7 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
Jobs.enqueue(:download_avatar_from_url,
|
Jobs.enqueue(:download_avatar_from_url,
|
||||||
url: avatar_url,
|
url: avatar_url,
|
||||||
user_id: user.id,
|
user_id: user.id,
|
||||||
override_gravatar: SiteSetting.sso_overrides_avatar
|
override_gravatar: SiteSetting.discourse_connect_overrides_avatar
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -273,13 +273,13 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
def change_external_attributes_and_override(sso_record, user)
|
def change_external_attributes_and_override(sso_record, user)
|
||||||
@email_changed = false
|
@email_changed = false
|
||||||
|
|
||||||
if SiteSetting.sso_overrides_email && user.email != Email.downcase(email)
|
if SiteSetting.auth_overrides_email && user.email != Email.downcase(email)
|
||||||
user.email = email
|
user.email = email
|
||||||
user.active = false if require_activation
|
user.active = false if require_activation
|
||||||
@email_changed = true
|
@email_changed = true
|
||||||
end
|
end
|
||||||
|
|
||||||
if SiteSetting.sso_overrides_username? && username.present?
|
if SiteSetting.auth_overrides_username? && username.present?
|
||||||
if user.username.downcase == username.downcase
|
if user.username.downcase == username.downcase
|
||||||
user.username = username # there may be a change of case
|
user.username = username # there may be a change of case
|
||||||
elsif user.username != username
|
elsif user.username != username
|
||||||
|
@ -287,7 +287,7 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
if SiteSetting.sso_overrides_name && user.name != name && name.present?
|
if SiteSetting.auth_overrides_name && user.name != name && name.present?
|
||||||
user.name = name || User.suggest_name(username.blank? ? email : username)
|
user.name = name || User.suggest_name(username.blank? ? email : username)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -297,18 +297,18 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
|
|
||||||
avatar_missing = user.uploaded_avatar_id.nil? || !Upload.exists?(user.uploaded_avatar_id)
|
avatar_missing = user.uploaded_avatar_id.nil? || !Upload.exists?(user.uploaded_avatar_id)
|
||||||
|
|
||||||
if (avatar_missing || avatar_force_update || SiteSetting.sso_overrides_avatar) && avatar_url.present?
|
if (avatar_missing || avatar_force_update || SiteSetting.discourse_connect_overrides_avatar) && avatar_url.present?
|
||||||
avatar_changed = sso_record.external_avatar_url != avatar_url
|
avatar_changed = sso_record.external_avatar_url != avatar_url
|
||||||
|
|
||||||
if avatar_force_update || avatar_changed || avatar_missing
|
if avatar_force_update || avatar_changed || avatar_missing
|
||||||
Jobs.enqueue(:download_avatar_from_url, url: avatar_url, user_id: user.id, override_gravatar: SiteSetting.sso_overrides_avatar)
|
Jobs.enqueue(:download_avatar_from_url, url: avatar_url, user_id: user.id, override_gravatar: SiteSetting.discourse_connect_overrides_avatar)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
if profile_background_url.present?
|
if profile_background_url.present?
|
||||||
profile_background_missing = user.user_profile.profile_background_upload.blank? || Upload.get_from_url(user.user_profile.profile_background_upload.url).blank?
|
profile_background_missing = user.user_profile.profile_background_upload.blank? || Upload.get_from_url(user.user_profile.profile_background_upload.url).blank?
|
||||||
|
|
||||||
if profile_background_missing || SiteSetting.sso_overrides_profile_background
|
if profile_background_missing || SiteSetting.discourse_connect_overrides_profile_background
|
||||||
profile_background_changed = sso_record.external_profile_background_url != profile_background_url
|
profile_background_changed = sso_record.external_profile_background_url != profile_background_url
|
||||||
if profile_background_changed || profile_background_missing
|
if profile_background_changed || profile_background_missing
|
||||||
Jobs.enqueue(:download_profile_background_from_url,
|
Jobs.enqueue(:download_profile_background_from_url,
|
||||||
|
@ -322,7 +322,7 @@ class DiscourseSingleSignOn < SingleSignOn
|
||||||
|
|
||||||
if card_background_url.present?
|
if card_background_url.present?
|
||||||
card_background_missing = user.user_profile.card_background_upload.blank? || Upload.get_from_url(user.user_profile.card_background_upload.url).blank?
|
card_background_missing = user.user_profile.card_background_upload.blank? || Upload.get_from_url(user.user_profile.card_background_upload.url).blank?
|
||||||
if card_background_missing || SiteSetting.sso_overrides_profile_background
|
if card_background_missing || SiteSetting.discourse_connect_overrides_profile_background
|
||||||
card_background_changed = sso_record.external_card_background_url != card_background_url
|
card_background_changed = sso_record.external_card_background_url != card_background_url
|
||||||
if card_background_changed || card_background_missing
|
if card_background_changed || card_background_missing
|
||||||
Jobs.enqueue(:download_profile_background_from_url,
|
Jobs.enqueue(:download_profile_background_from_url,
|
||||||
|
|
|
@ -361,7 +361,7 @@ class Invite < ActiveRecord::Base
|
||||||
return if email.blank?
|
return if email.blank?
|
||||||
|
|
||||||
if SiteSetting.enable_sso?
|
if SiteSetting.enable_sso?
|
||||||
errors.add(:email, I18n.t("invite.disabled_errors.sso_enabled"))
|
errors.add(:email, I18n.t("invite.disabled_errors.discourse_connect_enabled"))
|
||||||
elsif !SiteSetting.enable_local_logins?
|
elsif !SiteSetting.enable_local_logins?
|
||||||
errors.add(:email, I18n.t("invite.disabled_errors.local_logins_disabled"))
|
errors.add(:email, I18n.t("invite.disabled_errors.local_logins_disabled"))
|
||||||
end
|
end
|
||||||
|
|
|
@ -106,7 +106,7 @@ class AdminUserListSerializer < BasicUserSerializer
|
||||||
end
|
end
|
||||||
|
|
||||||
def include_second_factor_enabled?
|
def include_second_factor_enabled?
|
||||||
!SiteSetting.enable_sso &&
|
!SiteSetting.enable_discourse_connect &&
|
||||||
SiteSetting.enable_local_logins &&
|
SiteSetting.enable_local_logins &&
|
||||||
object.has_any_second_factor_methods_enabled?
|
object.has_any_second_factor_methods_enabled?
|
||||||
end
|
end
|
||||||
|
|
|
@ -228,7 +228,7 @@ class CurrentUserSerializer < BasicUserSerializer
|
||||||
end
|
end
|
||||||
|
|
||||||
def include_external_id?
|
def include_external_id?
|
||||||
SiteSetting.enable_sso
|
SiteSetting.enable_discourse_connect
|
||||||
end
|
end
|
||||||
|
|
||||||
def second_factor_enabled
|
def second_factor_enabled
|
||||||
|
|
|
@ -44,7 +44,7 @@ class NotificationSerializer < ApplicationSerializer
|
||||||
end
|
end
|
||||||
|
|
||||||
def include_external_id?
|
def include_external_id?
|
||||||
SiteSetting.enable_sso
|
SiteSetting.enable_discourse_connect
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -120,15 +120,15 @@ class UserSerializer < UserCardSerializer
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_change_bio
|
def can_change_bio
|
||||||
!(SiteSetting.enable_sso && SiteSetting.sso_overrides_bio)
|
!(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_bio)
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_change_location
|
def can_change_location
|
||||||
!(SiteSetting.enable_sso && SiteSetting.sso_overrides_location)
|
!(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_location)
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_change_website
|
def can_change_website
|
||||||
!(SiteSetting.enable_sso && SiteSetting.sso_overrides_website)
|
!(SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_website)
|
||||||
end
|
end
|
||||||
|
|
||||||
def user_api_keys
|
def user_api_keys
|
||||||
|
|
|
@ -67,15 +67,15 @@ class UserUpdater
|
||||||
def update(attributes = {})
|
def update(attributes = {})
|
||||||
user_profile = user.user_profile
|
user_profile = user.user_profile
|
||||||
user_profile.dismissed_banner_key = attributes[:dismissed_banner_key] if attributes[:dismissed_banner_key].present?
|
user_profile.dismissed_banner_key = attributes[:dismissed_banner_key] if attributes[:dismissed_banner_key].present?
|
||||||
unless SiteSetting.enable_sso && SiteSetting.sso_overrides_bio
|
unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_bio
|
||||||
user_profile.bio_raw = attributes.fetch(:bio_raw) { user_profile.bio_raw }
|
user_profile.bio_raw = attributes.fetch(:bio_raw) { user_profile.bio_raw }
|
||||||
end
|
end
|
||||||
|
|
||||||
unless SiteSetting.enable_sso && SiteSetting.sso_overrides_location
|
unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_location
|
||||||
user_profile.location = attributes.fetch(:location) { user_profile.location }
|
user_profile.location = attributes.fetch(:location) { user_profile.location }
|
||||||
end
|
end
|
||||||
|
|
||||||
unless SiteSetting.enable_sso && SiteSetting.sso_overrides_website
|
unless SiteSetting.enable_discourse_connect && SiteSetting.discourse_connect_overrides_website
|
||||||
user_profile.website = format_url(attributes.fetch(:website) { user_profile.website })
|
user_profile.website = format_url(attributes.fetch(:website) { user_profile.website })
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
<h1><%= t('sso.login_error') %></h1>
|
<h1><%= t('discourse_connect.login_error') %></h1>
|
||||||
|
|
||||||
<br/>
|
<br/>
|
||||||
|
|
||||||
|
|
|
@ -1263,7 +1263,7 @@ en:
|
||||||
set_primary: "Set Primary Email"
|
set_primary: "Set Primary Email"
|
||||||
destroy: "Remove Email"
|
destroy: "Remove Email"
|
||||||
add_email: "Add Alternate Email"
|
add_email: "Add Alternate Email"
|
||||||
sso_override_instructions: "Email can be updated from SSO provider."
|
auth_override_instructions: "Email can be updated from authentication provider."
|
||||||
no_secondary: "No secondary emails"
|
no_secondary: "No secondary emails"
|
||||||
instructions: "Never shown to the public."
|
instructions: "Never shown to the public."
|
||||||
admin_note: "Note: An admin user changing another non-admin user's email indicates the user has lost access to their original email account, so a reset password email will be sent to their new address. The user's email will not change until they complete the reset password process."
|
admin_note: "Note: An admin user changing another non-admin user's email indicates the user has lost access to their original email account, so a reset password email will be sent to their new address. The user's email will not change until they complete the reset password process."
|
||||||
|
@ -2648,7 +2648,7 @@ en:
|
||||||
action: "Send Invite"
|
action: "Send Invite"
|
||||||
help: "invite others to this topic via email or notifications"
|
help: "invite others to this topic via email or notifications"
|
||||||
to_forum: "We'll send a brief email allowing your friend to immediately join by clicking a link."
|
to_forum: "We'll send a brief email allowing your friend to immediately join by clicking a link."
|
||||||
sso_enabled: "Enter the username of the person you'd like to invite to this topic."
|
discourse_connect_enabled: "Enter the username of the person you'd like to invite to this topic."
|
||||||
to_topic_blank: "Enter the username or email address of the person you'd like to invite to this topic."
|
to_topic_blank: "Enter the username or email address of the person you'd like to invite to this topic."
|
||||||
to_topic_email: "You've entered an email address. We'll email an invitation that allows your friend to immediately reply to this topic."
|
to_topic_email: "You've entered an email address. We'll email an invitation that allows your friend to immediately reply to this topic."
|
||||||
to_topic_username: "You've entered a username. We'll send a notification with a link inviting them to this topic."
|
to_topic_username: "You've entered a username. We'll send a notification with a link inviting them to this topic."
|
||||||
|
@ -3863,7 +3863,7 @@ en:
|
||||||
wordpress: Necessary for the WordPress wp-discourse plugin to work.
|
wordpress: Necessary for the WordPress wp-discourse plugin to work.
|
||||||
users:
|
users:
|
||||||
bookmarks: List user bookmarks. It returns bookmark reminders when using the ICS format.
|
bookmarks: List user bookmarks. It returns bookmark reminders when using the ICS format.
|
||||||
sync_sso: Synchronize a user using SSO.
|
sync_sso: Synchronize a user using DiscourseConnect.
|
||||||
show: Obtain information about an user.
|
show: Obtain information about an user.
|
||||||
check_emails: List user emails.
|
check_emails: List user emails.
|
||||||
update: Update user profile information.
|
update: Update user profile information.
|
||||||
|
@ -4853,8 +4853,8 @@ en:
|
||||||
on_grace_period: "Currently in promotion grace period, will not be demoted."
|
on_grace_period: "Currently in promotion grace period, will not be demoted."
|
||||||
locked_will_not_be_promoted: "Trust level locked. Will never be promoted."
|
locked_will_not_be_promoted: "Trust level locked. Will never be promoted."
|
||||||
locked_will_not_be_demoted: "Trust level locked. Will never be demoted."
|
locked_will_not_be_demoted: "Trust level locked. Will never be demoted."
|
||||||
sso:
|
discourse_connect:
|
||||||
title: "Single Sign On"
|
title: "DiscourseConnect Single Sign On"
|
||||||
external_id: "External ID"
|
external_id: "External ID"
|
||||||
external_username: "Username"
|
external_username: "Username"
|
||||||
external_name: "Name"
|
external_name: "Name"
|
||||||
|
@ -4862,7 +4862,7 @@ en:
|
||||||
external_avatar_url: "Profile Picture URL"
|
external_avatar_url: "Profile Picture URL"
|
||||||
last_payload: "Last Payload"
|
last_payload: "Last Payload"
|
||||||
delete_sso_record: "Delete SSO Record"
|
delete_sso_record: "Delete SSO Record"
|
||||||
confirm_delete: "Are you sure you would like to delete this single sign on (SSO) record?"
|
confirm_delete: "Are you sure you would like to delete this DiscourseConnect record?"
|
||||||
|
|
||||||
user_fields:
|
user_fields:
|
||||||
title: "User Fields"
|
title: "User Fields"
|
||||||
|
|
|
@ -180,7 +180,7 @@ en:
|
||||||
one: is the wrong length (should be %{count} character)
|
one: is the wrong length (should be %{count} character)
|
||||||
other: is the wrong length (should be %{count} characters)
|
other: is the wrong length (should be %{count} characters)
|
||||||
other_than: "must be other than %{count}"
|
other_than: "must be other than %{count}"
|
||||||
sso_overrides_username: "Username needs to be updated on SSO provider side, since `sso_overrides_username` setting is enabled."
|
auth_overrides_username: "Username needs to be updated on authentication provider side, since `auth_overrides_username` setting is enabled."
|
||||||
template:
|
template:
|
||||||
body: ! "There were problems with the following fields:"
|
body: ! "There were problems with the following fields:"
|
||||||
header:
|
header:
|
||||||
|
@ -204,7 +204,7 @@ en:
|
||||||
share_quote_facebook_requirements: "You must set a Facebook app id to enable quote sharing for Facebook."
|
share_quote_facebook_requirements: "You must set a Facebook app id to enable quote sharing for Facebook."
|
||||||
second_factor_cannot_enforce_with_socials: "You cannot enforce 2FA with social logins enabled. You must first disable login via: %{auth_provider_names}"
|
second_factor_cannot_enforce_with_socials: "You cannot enforce 2FA with social logins enabled. You must first disable login via: %{auth_provider_names}"
|
||||||
second_factor_cannot_be_enforced_with_disabled_local_login: "You cannot enforce 2FA if local logins are disabled."
|
second_factor_cannot_be_enforced_with_disabled_local_login: "You cannot enforce 2FA if local logins are disabled."
|
||||||
second_factor_cannot_be_enforced_with_sso_enabled: "You cannot enforce 2FA if SSO is enabled."
|
second_factor_cannot_be_enforced_with_discourse_connect_enabled: "You cannot enforce 2FA if DiscourseConnect is enabled."
|
||||||
local_login_cannot_be_disabled_if_second_factor_enforced: "You cannot disable local login if 2FA is enforced. Disable enforced 2FA before disabling local logins."
|
local_login_cannot_be_disabled_if_second_factor_enforced: "You cannot disable local login if 2FA is enforced. Disable enforced 2FA before disabling local logins."
|
||||||
cannot_enable_s3_uploads_when_s3_enabled_globally: "You cannot enable S3 uploads because S3 uploads are already globally enabled, and enabling this site-level could cause critical issues with uploads"
|
cannot_enable_s3_uploads_when_s3_enabled_globally: "You cannot enable S3 uploads because S3 uploads are already globally enabled, and enabling this site-level could cause critical issues with uploads"
|
||||||
cors_origins_should_not_have_trailing_slash: "You should not add the trailing slash (/) to CORS origins."
|
cors_origins_should_not_have_trailing_slash: "You should not add the trailing slash (/) to CORS origins."
|
||||||
|
@ -239,7 +239,7 @@ en:
|
||||||
confirm_email: "<p>You’re almost done! We sent an activation mail to your email address. Please follow the instructions in the mail to activate your account.</p><p>If it doesn’t arrive, check your spam folder.</p>"
|
confirm_email: "<p>You’re almost done! We sent an activation mail to your email address. Please follow the instructions in the mail to activate your account.</p><p>If it doesn’t arrive, check your spam folder.</p>"
|
||||||
cant_invite_to_group: "You are not allowed to invite users to specified group(s). Make sure you are owner of the group(s) you are trying to invite to."
|
cant_invite_to_group: "You are not allowed to invite users to specified group(s). Make sure you are owner of the group(s) you are trying to invite to."
|
||||||
disabled_errors:
|
disabled_errors:
|
||||||
sso_enabled: "Invites are disabled because SSO is enabled."
|
discourse_connect_enabled: "Invites are disabled because DiscourseConnect is enabled."
|
||||||
local_logins_disabled: "Invites are disabled because the 'enable local logins' setting is disabled."
|
local_logins_disabled: "Invites are disabled because the 'enable local logins' setting is disabled."
|
||||||
invalid_access: "You are not permitted to view the requested resource."
|
invalid_access: "You are not permitted to view the requested resource."
|
||||||
|
|
||||||
|
@ -448,7 +448,7 @@ en:
|
||||||
one: "Maximum %{count} user can be added at once"
|
one: "Maximum %{count} user can be added at once"
|
||||||
other: "Maximum %{count} users can be added at once"
|
other: "Maximum %{count} users can be added at once"
|
||||||
usernames_or_emails_required: "Usernames or emails must be present"
|
usernames_or_emails_required: "Usernames or emails must be present"
|
||||||
no_invites_with_sso: "You can invite only registered users when SSO is enabled"
|
no_invites_with_discourse_connect: "You can invite only registered users when DiscourseConnect is enabled"
|
||||||
no_invites_without_local_logins: "You can invite only registered users when local logins are disabled"
|
no_invites_without_local_logins: "You can invite only registered users when local logins are disabled"
|
||||||
default_names:
|
default_names:
|
||||||
everyone: "everyone"
|
everyone: "everyone"
|
||||||
|
@ -1532,7 +1532,7 @@ en:
|
||||||
detailed_404: "Provides more details to users about why they can’t access a particular topic. Note: This is less secure because users will know if a URL links to a valid topic."
|
detailed_404: "Provides more details to users about why they can’t access a particular topic. Note: This is less secure because users will know if a URL links to a valid topic."
|
||||||
enforce_second_factor: "Forces users to enable two-factor authentication. Select 'all' to enforce it to all users. Select 'staff' to enforce it to staff users only."
|
enforce_second_factor: "Forces users to enable two-factor authentication. Select 'all' to enforce it to all users. Select 'staff' to enforce it to staff users only."
|
||||||
force_https: "Force your site to use HTTPS only. WARNING: do NOT enable this until you verify HTTPS is fully set up and working absolutely everywhere! Did you check your CDN, all social logins, and any external logos / dependencies to make sure they are all HTTPS compatible, too?"
|
force_https: "Force your site to use HTTPS only. WARNING: do NOT enable this until you verify HTTPS is fully set up and working absolutely everywhere! Did you check your CDN, all social logins, and any external logos / dependencies to make sure they are all HTTPS compatible, too?"
|
||||||
same_site_cookies: "Use same site cookies, they eliminate all vectors Cross Site Request Forgery on supported browsers (Lax or Strict). Warning: Strict will only work on sites that force login and use SSO."
|
same_site_cookies: "Use same site cookies, they eliminate all vectors Cross Site Request Forgery on supported browsers (Lax or Strict). Warning: Strict will only work on sites that force login and use an external auth method."
|
||||||
summary_score_threshold: "The minimum score required for a post to be included in 'Summarize This Topic'"
|
summary_score_threshold: "The minimum score required for a post to be included in 'Summarize This Topic'"
|
||||||
summary_posts_required: "Minimum posts in a topic before 'Summarize This Topic' is enabled. Changes to this setting will be applied retroactively within a week."
|
summary_posts_required: "Minimum posts in a topic before 'Summarize This Topic' is enabled. Changes to this setting will be applied retroactively within a week."
|
||||||
summary_likes_required: "Minimum likes in a topic before 'Summarize This Topic' is enabled. Changes to this setting will be applied retroactively within a week."
|
summary_likes_required: "Minimum likes in a topic before 'Summarize This Topic' is enabled. Changes to this setting will be applied retroactively within a week."
|
||||||
|
@ -1656,27 +1656,27 @@ en:
|
||||||
password_unique_characters: "Minimum number of unique characters that a password must have."
|
password_unique_characters: "Minimum number of unique characters that a password must have."
|
||||||
block_common_passwords: "Don't allow passwords that are in the 10,000 most common passwords."
|
block_common_passwords: "Don't allow passwords that are in the 10,000 most common passwords."
|
||||||
|
|
||||||
external_auth_skip_create_confirm: When signing up via external auth, skip the create account popup. Best used alongside sso_overrides_email, sso_overrides_username and sso_overrides_name.
|
auth_skip_create_confirm: When signing up via external auth, skip the create account popup. Best used alongside auth_overrides_email, auth_overrides_username and auth_overrides_name.
|
||||||
external_auth_immediately: "Automatically redirect to the external login system without user interaction. This only takes effect when login_required is true, and there is only one external authentication method"
|
auth_immediately: "Automatically redirect to the external login system without user interaction. This only takes effect when login_required is true, and there is only one external authentication method"
|
||||||
|
|
||||||
enable_sso: "Enable single sign on via an external site (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)"
|
enable_discourse_connect: "Enable sign on via DiscourseConnect (formerly 'Discourse SSO') (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)"
|
||||||
verbose_sso_logging: "Log verbose SSO related diagnostics to <a href='%{base_path}/logs' target='_blank'>/logs</a>"
|
verbose_discourse_connect_logging: "Log verbose DiscourseConnect related diagnostics to <a href='%{base_path}/logs' target='_blank'>/logs</a>"
|
||||||
enable_sso_provider: "Implement Discourse SSO provider protocol at the /session/sso_provider endpoint, requires sso_provider_secrets to be set"
|
enable_discourse_connect_provider: "Implement DiscourseConnect (formerly 'Discourse SSO') provider protocol at the /session/sso_provider endpoint, requires discourse_connect_provider_secrets to be set"
|
||||||
sso_url: "URL of single sign on endpoint (must include http:// or https://)"
|
discourse_connect_url: "URL of DiscourseConnect endpoint (must include http:// or https://)"
|
||||||
sso_secret: "Secret string used to cryptographically authenticate SSO information, be sure it is 10 characters or longer"
|
discourse_connect_secret: "Secret string used to cryptographically authenticate DiscourseConnect information, be sure it is 10 characters or longer"
|
||||||
sso_provider_secrets: "A list of domain-secret pairs that are using Discourse as an SSO provider. Make sure SSO secret is 10 characters or longer. Wildcard symbol * can be used to match any domain or only a part of it (e.g. *.example.com)."
|
discourse_connect_provider_secrets: "A list of domain-secret pairs that are using DiscourseConnect. Make sure DiscourseConnect secret is 10 characters or longer. Wildcard symbol * can be used to match any domain or only a part of it (e.g. *.example.com)."
|
||||||
sso_overrides_bio: "Overrides user bio in user profile and prevents user from changing it"
|
discourse_connect_overrides_bio: "Overrides user bio in user profile and prevents user from changing it"
|
||||||
sso_overrides_groups: "Synchronize all manual group membership with groups specified in the groups sso attribute (WARNING: if you do not specify groups all manual group membership will be cleared for user)"
|
discourse_connect_overrides_groups: "Synchronize all manual group membership with groups specified in the groups attribute (WARNING: if you do not specify groups all manual group membership will be cleared for user)"
|
||||||
sso_overrides_email: "Overrides local email with external site email from SSO payload on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to normalization of local emails)"
|
auth_overrides_email: "Overrides local email with external site email on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to normalization of local emails)"
|
||||||
sso_overrides_username: "Overrides local username with external site username from SSO payload on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to differences in username length/requirements)"
|
auth_overrides_username: "Overrides local username with external site username on every login, and prevent local changes. Applies to all authentication providers. (WARNING: discrepancies can occur due to differences in username length/requirements)"
|
||||||
sso_overrides_name: "Overrides local full name with external site full name from SSO payload on every login, and prevent local changes. Applies to all authentication providers."
|
auth_overrides_name: "Overrides local full name with external site full name on every login, and prevent local changes. Applies to all authentication providers."
|
||||||
sso_overrides_avatar: "Overrides user avatar with external site avatar from SSO payload. If enabled, users will not be allowed to upload avatars on Discourse."
|
discourse_connect_overrides_avatar: "Overrides user avatar with external site avatar from DiscourseConnect payload. If enabled, users will not be allowed to upload avatars on Discourse."
|
||||||
sso_overrides_location: "Overrides user location with external location from SSO payload and prevent local changes."
|
discourse_connect_overrides_location: "Overrides user location with external location from DiscourseConnect payload and prevent local changes."
|
||||||
sso_overrides_website: "Overrides user website with external location from SSO payload and prevent local changes."
|
discourse_connect_overrides_website: "Overrides user website with external location from DiscourseConnect payload and prevent local changes."
|
||||||
sso_overrides_profile_background: "Overrides user profile background with external site avatar from SSO payload."
|
discourse_connect_overrides_profile_background: "Overrides user profile background with external site avatar from DiscourseConnect payload."
|
||||||
sso_overrides_card_background: "Overrides user card background with external site avatar from SSO payload."
|
discourse_connect_overrides_card_background: "Overrides user card background with external site avatar from DiscourseConnect payload."
|
||||||
sso_not_approved_url: "Redirect unapproved SSO accounts to this URL"
|
discourse_connect_not_approved_url: "Redirect unapproved DiscourseConnect accounts to this URL"
|
||||||
sso_allows_all_return_paths: "Do not restrict the domain for return_paths provided by SSO (by default return path must be on current site)"
|
discourse_connect_allows_all_return_paths: "Do not restrict the domain for return_paths provided by DiscourseConnect (by default return path must be on current site)"
|
||||||
|
|
||||||
enable_local_logins: "Enable local username and password login based accounts. This must be enabled for invites to work. WARNING: if disabled, you may be unable to log in if you have not previously configured at least one alternate login method."
|
enable_local_logins: "Enable local username and password login based accounts. This must be enabled for invites to work. WARNING: if disabled, you may be unable to log in if you have not previously configured at least one alternate login method."
|
||||||
enable_local_logins_via_email: "Allow users to request a one-click login link to be sent to them via email."
|
enable_local_logins_via_email: "Allow users to request a one-click login link to be sent to them via email."
|
||||||
|
@ -2313,8 +2313,8 @@ en:
|
||||||
email_editable_enabled: "You must disable 'email editable' before enabling this setting."
|
email_editable_enabled: "You must disable 'email editable' before enabling this setting."
|
||||||
staged_users_disabled: "You must first enable 'staged users' before enabling this setting."
|
staged_users_disabled: "You must first enable 'staged users' before enabling this setting."
|
||||||
reply_by_email_disabled: "You must first enable 'reply by email' before enabling this setting."
|
reply_by_email_disabled: "You must first enable 'reply by email' before enabling this setting."
|
||||||
sso_url_is_empty: "You must set a 'sso url' before enabling this setting."
|
discourse_connect_url_is_empty: "You must set a 'discourse connect url' before enabling this setting."
|
||||||
sso_invite_only: "You cannot enable sso and invite only at the same time."
|
discourse_connect_invite_only: "You cannot enable DiscourseConnect and invite only at the same time."
|
||||||
enable_local_logins_disabled: "You must first enable 'enable local logins' before enabling this setting."
|
enable_local_logins_disabled: "You must first enable 'enable local logins' before enabling this setting."
|
||||||
min_username_length_exists: "You cannot set the minimum username length above the shortest username (%{username})."
|
min_username_length_exists: "You cannot set the minimum username length above the shortest username (%{username})."
|
||||||
min_username_length_range: "You cannot set the minimum above the maximum."
|
min_username_length_range: "You cannot set the minimum above the maximum."
|
||||||
|
@ -2334,9 +2334,9 @@ en:
|
||||||
list_value_count: "The list must contain exactly %{count} values."
|
list_value_count: "The list must contain exactly %{count} values."
|
||||||
|
|
||||||
placeholder:
|
placeholder:
|
||||||
sso_provider_secrets:
|
discourse_connect_provider_secrets:
|
||||||
key: "www.example.com"
|
key: "www.example.com"
|
||||||
value: "SSO secret"
|
value: "DiscourseConnect secret"
|
||||||
|
|
||||||
search:
|
search:
|
||||||
extreme_load_error: "Site is under extreme load, search is disabled, try again later"
|
extreme_load_error: "Site is under extreme load, search is disabled, try again later"
|
||||||
|
@ -2349,7 +2349,7 @@ en:
|
||||||
audio: "[audio]"
|
audio: "[audio]"
|
||||||
video: "[video]"
|
video: "[video]"
|
||||||
|
|
||||||
sso:
|
discourse_connect:
|
||||||
login_error: "Login Error"
|
login_error: "Login Error"
|
||||||
not_found: "Your account couldn't be found. Please contact the site's administrator."
|
not_found: "Your account couldn't be found. Please contact the site's administrator."
|
||||||
account_not_approved: "Your account is pending approval. You will receive an email notification when you are approved."
|
account_not_approved: "Your account is pending approval. You will receive an email notification when you are approved."
|
||||||
|
@ -2358,7 +2358,7 @@ en:
|
||||||
no_email: "No email address was provided. Please contact the site's administrator."
|
no_email: "No email address was provided. Please contact the site's administrator."
|
||||||
blank_id_error: "The `external_id` is required but was blank"
|
blank_id_error: "The `external_id` is required but was blank"
|
||||||
email_error: "An account could not be registered with the email address <b>%{email}</b>. Please contact the site's administrator."
|
email_error: "An account could not be registered with the email address <b>%{email}</b>. Please contact the site's administrator."
|
||||||
missing_secret: "SSO authentication failed due to missing secret. Contact the site administrators to fix this problem."
|
missing_secret: "Authentication failed due to missing secret. Contact the site administrators to fix this problem."
|
||||||
|
|
||||||
original_poster: "Original Poster"
|
original_poster: "Original Poster"
|
||||||
most_posts: "Most Posts"
|
most_posts: "Most Posts"
|
||||||
|
|
|
@ -423,31 +423,31 @@ login:
|
||||||
default: ""
|
default: ""
|
||||||
type: list
|
type: list
|
||||||
list_type: simple
|
list_type: simple
|
||||||
external_auth_skip_create_confirm:
|
auth_skip_create_confirm:
|
||||||
default: false
|
default: false
|
||||||
client: true
|
client: true
|
||||||
external_auth_immediately:
|
auth_immediately:
|
||||||
default: true
|
default: true
|
||||||
enable_sso:
|
enable_discourse_connect:
|
||||||
client: true
|
client: true
|
||||||
default: false
|
default: false
|
||||||
validator: "EnableSsoValidator"
|
validator: "EnableSsoValidator"
|
||||||
sso_allows_all_return_paths: false
|
discourse_connect_allows_all_return_paths: false
|
||||||
enable_sso_provider: false
|
enable_discourse_connect_provider: false
|
||||||
verbose_sso_logging: false
|
verbose_discourse_connect_logging: false
|
||||||
verbose_auth_token_logging:
|
verbose_auth_token_logging:
|
||||||
hidden: true
|
hidden: true
|
||||||
default: true
|
default: true
|
||||||
max_suspicious_distance_km:
|
max_suspicious_distance_km:
|
||||||
hidden: true
|
hidden: true
|
||||||
default: 500
|
default: 500
|
||||||
sso_url:
|
discourse_connect_url:
|
||||||
default: ""
|
default: ""
|
||||||
regex: '^https?:\/\/.+[^\/]$'
|
regex: '^https?:\/\/.+[^\/]$'
|
||||||
sso_secret:
|
discourse_connect_secret:
|
||||||
default: ""
|
default: ""
|
||||||
secret: true
|
secret: true
|
||||||
sso_provider_secrets:
|
discourse_connect_provider_secrets:
|
||||||
default: ""
|
default: ""
|
||||||
type: list
|
type: list
|
||||||
list_type: secret
|
list_type: secret
|
||||||
|
@ -455,22 +455,22 @@ login:
|
||||||
placeholder:
|
placeholder:
|
||||||
key: "sso_provider.key_placeholder"
|
key: "sso_provider.key_placeholder"
|
||||||
value: "sso_provider.value_placeholder"
|
value: "sso_provider.value_placeholder"
|
||||||
sso_overrides_groups: false
|
discourse_connect_overrides_groups: false
|
||||||
sso_overrides_bio: false
|
discourse_connect_overrides_bio: false
|
||||||
sso_overrides_email:
|
auth_overrides_email:
|
||||||
default: false
|
default: false
|
||||||
validator: "SsoOverridesEmailValidator"
|
validator: "SsoOverridesEmailValidator"
|
||||||
client: true
|
client: true
|
||||||
sso_overrides_username: false
|
auth_overrides_username: false
|
||||||
sso_overrides_name: false
|
auth_overrides_name: false
|
||||||
sso_overrides_avatar:
|
discourse_connect_overrides_avatar:
|
||||||
default: false
|
default: false
|
||||||
client: true
|
client: true
|
||||||
sso_overrides_profile_background: false
|
discourse_connect_overrides_profile_background: false
|
||||||
sso_overrides_location: false
|
discourse_connect_overrides_location: false
|
||||||
sso_overrides_website: false
|
discourse_connect_overrides_website: false
|
||||||
sso_overrides_card_background: false
|
discourse_connect_overrides_card_background: false
|
||||||
sso_not_approved_url: ""
|
discourse_connect_not_approved_url: ""
|
||||||
blocked_email_domains:
|
blocked_email_domains:
|
||||||
default: "mailinator.com"
|
default: "mailinator.com"
|
||||||
type: list
|
type: list
|
||||||
|
|
|
@ -2,12 +2,14 @@
|
||||||
|
|
||||||
class AddSsoProviderSecretsToSiteSettings < ActiveRecord::Migration[5.2]
|
class AddSsoProviderSecretsToSiteSettings < ActiveRecord::Migration[5.2]
|
||||||
def up
|
def up
|
||||||
return unless SiteSetting.enable_sso_provider && SiteSetting.sso_secret.present?
|
execute <<~SQL
|
||||||
sso_secret = SiteSetting.sso_secret
|
INSERT INTO site_settings(name, data_type, value, created_at, updated_at)
|
||||||
sso_secret_insert = ActiveRecord::Base.connection.quote("*|#{sso_secret}")
|
SELECT 'sso_provider_secrets', 8, '*|' || value, now(), now()
|
||||||
|
FROM site_settings WHERE name = 'sso_secret'
|
||||||
execute "INSERT INTO site_settings(name, data_type, value, created_at, updated_at)
|
AND EXISTS (
|
||||||
VALUES ('sso_provider_secrets', 8, #{sso_secret_insert}, now(), now())"
|
SELECT 1 FROM site_settings WHERE name = 'enable_sso_provider' AND value = 't'
|
||||||
|
)
|
||||||
|
SQL
|
||||||
end
|
end
|
||||||
|
|
||||||
def down
|
def down
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
class RenameSsoSiteSettings < ActiveRecord::Migration[6.0]
|
||||||
|
RENAME_SETTINGS = [
|
||||||
|
['enable_sso', 'enable_discourse_connect'],
|
||||||
|
['sso_allows_all_return_paths', 'discourse_connect_allows_all_return_paths'],
|
||||||
|
['enable_sso_provider', 'enable_discourse_connect_provider'],
|
||||||
|
['verbose_sso_logging', 'verbose_discourse_connect_logging'],
|
||||||
|
['sso_url', 'discourse_connect_url'],
|
||||||
|
['sso_secret', 'discourse_connect_secret'],
|
||||||
|
['sso_provider_secrets', 'discourse_connect_provider_secrets'],
|
||||||
|
['sso_overrides_groups', 'discourse_connect_overrides_groups'],
|
||||||
|
['sso_overrides_bio', 'discourse_connect_overrides_bio'],
|
||||||
|
['sso_overrides_email', 'auth_overrides_email'],
|
||||||
|
['sso_overrides_username', 'auth_overrides_username'],
|
||||||
|
['sso_overrides_name', 'auth_overrides_name'],
|
||||||
|
['sso_overrides_avatar', 'discourse_connect_overrides_avatar'],
|
||||||
|
['sso_overrides_profile_background', 'discourse_connect_overrides_profile_background'],
|
||||||
|
['sso_overrides_location', 'discourse_connect_overrides_location'],
|
||||||
|
['sso_overrides_website', 'discourse_connect_overrides_website'],
|
||||||
|
['sso_overrides_card_background', 'discourse_connect_overrides_card_background'],
|
||||||
|
['external_auth_skip_create_confirm', 'auth_skip_create_confirm'],
|
||||||
|
['external_auth_immediately', 'auth_immediately']
|
||||||
|
]
|
||||||
|
|
||||||
|
def up
|
||||||
|
# Copying the rows so that things keep working during deploy
|
||||||
|
# TODO: Add a post-deploy migration to drop the old rows
|
||||||
|
|
||||||
|
RENAME_SETTINGS.each do |old_name, new_name|
|
||||||
|
execute <<~SQL
|
||||||
|
INSERT INTO site_settings (name, data_type, value, created_at, updated_at)
|
||||||
|
SELECT '#{new_name}', data_type, value, created_at, updated_at
|
||||||
|
FROM site_settings
|
||||||
|
WHERE name = '#{old_name}'
|
||||||
|
SQL
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def down
|
||||||
|
raise ActiveRecord::IrreversibleMigration
|
||||||
|
end
|
||||||
|
end
|
|
@ -70,17 +70,17 @@ class Auth::Result
|
||||||
|
|
||||||
def apply_user_attributes!
|
def apply_user_attributes!
|
||||||
change_made = false
|
change_made = false
|
||||||
if SiteSetting.sso_overrides_username? && username.present? && username != user.username
|
if SiteSetting.auth_overrides_username? && username.present? && username != user.username
|
||||||
user.username = UserNameSuggester.suggest(username || name || email, user.username)
|
user.username = UserNameSuggester.suggest(username || name || email, user.username)
|
||||||
change_made = true
|
change_made = true
|
||||||
end
|
end
|
||||||
|
|
||||||
if SiteSetting.sso_overrides_email && email_valid && email.present? && user.email != Email.downcase(email)
|
if SiteSetting.auth_overrides_email && email_valid && email.present? && user.email != Email.downcase(email)
|
||||||
user.email = email
|
user.email = email
|
||||||
change_made = true
|
change_made = true
|
||||||
end
|
end
|
||||||
|
|
||||||
if SiteSetting.sso_overrides_name && name.present? && user.name != name
|
if SiteSetting.auth_overrides_name && name.present? && user.name != name
|
||||||
user.name = name
|
user.name = name
|
||||||
change_made = true
|
change_made = true
|
||||||
end
|
end
|
||||||
|
@ -89,11 +89,11 @@ class Auth::Result
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_edit_name
|
def can_edit_name
|
||||||
!SiteSetting.sso_overrides_name
|
!SiteSetting.auth_overrides_name
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_edit_username
|
def can_edit_username
|
||||||
!(SiteSetting.sso_overrides_username || omit_username)
|
!(SiteSetting.auth_overrides_username || omit_username)
|
||||||
end
|
end
|
||||||
|
|
||||||
def to_client_hash
|
def to_client_hash
|
||||||
|
|
|
@ -78,7 +78,7 @@ class ComposerMessagesFinder
|
||||||
# - "disable avatar education message" is enabled
|
# - "disable avatar education message" is enabled
|
||||||
# - "sso overrides avatar" is enabled
|
# - "sso overrides avatar" is enabled
|
||||||
# - "allow uploaded avatars" is disabled
|
# - "allow uploaded avatars" is disabled
|
||||||
return if SiteSetting.disable_avatar_education_message || SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars
|
return if SiteSetting.disable_avatar_education_message || SiteSetting.discourse_connect_overrides_avatar || !SiteSetting.allow_uploaded_avatars
|
||||||
|
|
||||||
# If we got this far, log that we've nagged them about the avatar
|
# If we got this far, log that we've nagged them about the avatar
|
||||||
UserHistory.create!(action: UserHistory.actions[:notified_about_avatar], target_user_id: @user.id)
|
UserHistory.create!(action: UserHistory.actions[:notified_about_avatar], target_user_id: @user.id)
|
||||||
|
|
|
@ -353,7 +353,7 @@ class Guardian
|
||||||
def can_invite_to_forum?(groups = nil)
|
def can_invite_to_forum?(groups = nil)
|
||||||
authenticated? &&
|
authenticated? &&
|
||||||
(SiteSetting.max_invites_per_day.to_i > 0 || is_staff?) &&
|
(SiteSetting.max_invites_per_day.to_i > 0 || is_staff?) &&
|
||||||
!SiteSetting.enable_sso &&
|
!SiteSetting.enable_discourse_connect &&
|
||||||
SiteSetting.enable_local_logins &&
|
SiteSetting.enable_local_logins &&
|
||||||
(
|
(
|
||||||
(!SiteSetting.must_approve_users? && @user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)) ||
|
(!SiteSetting.must_approve_users? && @user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)) ||
|
||||||
|
@ -391,7 +391,7 @@ class Guardian
|
||||||
|
|
||||||
def can_invite_via_email?(object)
|
def can_invite_via_email?(object)
|
||||||
return false unless can_invite_to?(object)
|
return false unless can_invite_to?(object)
|
||||||
!SiteSetting.enable_sso && SiteSetting.enable_local_logins && (!SiteSetting.must_approve_users? || is_staff?)
|
!SiteSetting.enable_discourse_connect && SiteSetting.enable_local_logins && (!SiteSetting.must_approve_users? || is_staff?)
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_bulk_invite_to_forum?(user)
|
def can_bulk_invite_to_forum?(user)
|
||||||
|
|
|
@ -23,7 +23,7 @@ module UserGuardian
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_edit_username?(user)
|
def can_edit_username?(user)
|
||||||
return false if SiteSetting.sso_overrides_username?
|
return false if SiteSetting.auth_overrides_username?
|
||||||
return true if is_staff?
|
return true if is_staff?
|
||||||
return false if SiteSetting.username_change_period <= 0
|
return false if SiteSetting.username_change_period <= 0
|
||||||
return false if is_anonymous?
|
return false if is_anonymous?
|
||||||
|
@ -31,7 +31,7 @@ module UserGuardian
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_edit_email?(user)
|
def can_edit_email?(user)
|
||||||
return false if SiteSetting.sso_overrides_email?
|
return false if SiteSetting.auth_overrides_email?
|
||||||
return false unless SiteSetting.email_editable?
|
return false unless SiteSetting.email_editable?
|
||||||
return true if is_staff?
|
return true if is_staff?
|
||||||
return false if is_anonymous?
|
return false if is_anonymous?
|
||||||
|
@ -40,7 +40,7 @@ module UserGuardian
|
||||||
|
|
||||||
def can_edit_name?(user)
|
def can_edit_name?(user)
|
||||||
return false unless SiteSetting.enable_names?
|
return false unless SiteSetting.enable_names?
|
||||||
return false if SiteSetting.sso_overrides_name?
|
return false if SiteSetting.auth_overrides_name?
|
||||||
return true if is_staff?
|
return true if is_staff?
|
||||||
return false if is_anonymous?
|
return false if is_anonymous?
|
||||||
can_edit?(user)
|
can_edit?(user)
|
||||||
|
@ -61,7 +61,7 @@ module UserGuardian
|
||||||
def can_delete_user?(user)
|
def can_delete_user?(user)
|
||||||
return false if user.nil? || user.admin?
|
return false if user.nil? || user.admin?
|
||||||
if is_me?(user)
|
if is_me?(user)
|
||||||
!SiteSetting.enable_sso &&
|
!SiteSetting.enable_discourse_connect &&
|
||||||
!user.has_more_posts_than?(SiteSetting.delete_user_self_max_post_count)
|
!user.has_more_posts_than?(SiteSetting.delete_user_self_max_post_count)
|
||||||
else
|
else
|
||||||
is_staff? && (
|
is_staff? && (
|
||||||
|
@ -173,6 +173,6 @@ module UserGuardian
|
||||||
end
|
end
|
||||||
|
|
||||||
def can_delete_sso_record?(user)
|
def can_delete_sso_record?(user)
|
||||||
SiteSetting.enable_sso && user && is_admin?
|
SiteSetting.enable_discourse_connect && user && is_admin?
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,7 +7,7 @@ class SingleSignOnProvider < SingleSignOn
|
||||||
set_return_sso_url(payload)
|
set_return_sso_url(payload)
|
||||||
if sso_secret.blank? && self.sso_secret.blank?
|
if sso_secret.blank? && self.sso_secret.blank?
|
||||||
host = URI.parse(@return_sso_url).host
|
host = URI.parse(@return_sso_url).host
|
||||||
Rails.logger.warn("SSO failed; website #{host} is not in the `sso_provider_secrets` site settings")
|
Rails.logger.warn("SSO failed; website #{host} is not in the `discourse_connect_provider_secrets` site settings")
|
||||||
raise BlankSecret
|
raise BlankSecret
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -24,9 +24,9 @@ class SingleSignOnProvider < SingleSignOn
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.sso_secret
|
def self.sso_secret
|
||||||
return nil unless @return_sso_url && SiteSetting.enable_sso_provider
|
return nil unless @return_sso_url && SiteSetting.enable_discourse_connect_provider
|
||||||
|
|
||||||
provider_secrets = SiteSetting.sso_provider_secrets.split(/[|\n]/)
|
provider_secrets = SiteSetting.discourse_connect_provider_secrets.split(/[|\n]/)
|
||||||
provider_secrets_hash = Hash[*provider_secrets]
|
provider_secrets_hash = Hash[*provider_secrets]
|
||||||
return_url_host = URI.parse(@return_sso_url).host
|
return_url_host = URI.parse(@return_sso_url).host
|
||||||
# moves wildcard domains to the end of hash
|
# moves wildcard domains to the end of hash
|
||||||
|
|
|
@ -10,7 +10,27 @@ module SiteSettings::DeprecatedSettings
|
||||||
['enable_category_group_review', 'enable_category_group_moderation', true, '2.7'],
|
['enable_category_group_review', 'enable_category_group_moderation', true, '2.7'],
|
||||||
['newuser_max_images', 'newuser_max_embedded_media', true, '2.7'],
|
['newuser_max_images', 'newuser_max_embedded_media', true, '2.7'],
|
||||||
['min_trust_to_post_images', 'min_trust_to_post_embedded_media', true, '2.7'],
|
['min_trust_to_post_images', 'min_trust_to_post_embedded_media', true, '2.7'],
|
||||||
['moderators_create_categories', 'moderators_manage_categories_and_groups', '2.7']
|
['moderators_create_categories', 'moderators_manage_categories_and_groups', '2.7'],
|
||||||
|
|
||||||
|
['enable_sso', 'enable_discourse_connect', true, '2.8'],
|
||||||
|
['sso_allows_all_return_paths', 'discourse_connect_allows_all_return_paths', true, '2.8'],
|
||||||
|
['enable_sso_provider', 'enable_discourse_connect_provider', true, '2.8'],
|
||||||
|
['verbose_sso_logging', 'verbose_discourse_connect_logging', true, '2.8'],
|
||||||
|
['sso_url', 'discourse_connect_url', true, '2.8'],
|
||||||
|
['sso_secret', 'discourse_connect_secret', true, '2.8'],
|
||||||
|
['sso_provider_secrets', 'discourse_connect_provider_secrets', true, '2.8'],
|
||||||
|
['sso_overrides_groups', 'discourse_connect_overrides_groups', true, '2.8'],
|
||||||
|
['sso_overrides_bio', 'discourse_connect_overrides_bio', true, '2.8'],
|
||||||
|
['sso_overrides_email', 'auth_overrides_email', true, '2.8'],
|
||||||
|
['sso_overrides_username', 'auth_overrides_username', true, '2.8'],
|
||||||
|
['sso_overrides_name', 'auth_overrides_name', true, '2.8'],
|
||||||
|
['sso_overrides_avatar', 'discourse_connect_overrides_avatar', true, '2.8'],
|
||||||
|
['sso_overrides_profile_background', 'discourse_connect_overrides_profile_background', true, '2.8'],
|
||||||
|
['sso_overrides_location', 'discourse_connect_overrides_location', true, '2.8'],
|
||||||
|
['sso_overrides_website', 'discourse_connect_overrides_website', true, '2.8'],
|
||||||
|
['sso_overrides_card_background', 'discourse_connect_overrides_card_background', true, '2.8'],
|
||||||
|
['external_auth_skip_create_confirm', 'auth_skip_create_confirm', true, '2.8'],
|
||||||
|
['external_auth_immediately', 'auth_immediately', true, '2.8'],
|
||||||
]
|
]
|
||||||
|
|
||||||
def setup_deprecated_methods
|
def setup_deprecated_methods
|
||||||
|
|
|
@ -177,8 +177,8 @@ module SiteSettings::Validations
|
||||||
end
|
end
|
||||||
|
|
||||||
def validate_enforce_second_factor(new_val)
|
def validate_enforce_second_factor(new_val)
|
||||||
if SiteSetting.enable_sso?
|
if SiteSetting.enable_discourse_connect?
|
||||||
return validate_error :second_factor_cannot_be_enforced_with_sso_enabled
|
return validate_error :second_factor_cannot_be_enforced_with_discourse_connect_enabled
|
||||||
end
|
end
|
||||||
if new_val == "all" && Discourse.enabled_auth_providers.count > 0
|
if new_val == "all" && Discourse.enabled_auth_providers.count > 0
|
||||||
auth_provider_names = Discourse.enabled_auth_providers.map(&:name).join(", ")
|
auth_provider_names = Discourse.enabled_auth_providers.map(&:name).join(", ")
|
||||||
|
|
|
@ -7,10 +7,10 @@ class EnableInviteOnlyValidator
|
||||||
|
|
||||||
def valid_value?(val)
|
def valid_value?(val)
|
||||||
return true if val == 'f'
|
return true if val == 'f'
|
||||||
!SiteSetting.enable_sso?
|
!SiteSetting.enable_discourse_connect?
|
||||||
end
|
end
|
||||||
|
|
||||||
def error_message
|
def error_message
|
||||||
I18n.t('site_settings.errors.sso_invite_only')
|
I18n.t('site_settings.errors.discourse_connect_invite_only')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,12 +7,12 @@ class EnableSsoValidator
|
||||||
|
|
||||||
def valid_value?(val)
|
def valid_value?(val)
|
||||||
return true if val == 'f'
|
return true if val == 'f'
|
||||||
return false if SiteSetting.sso_url.blank? || SiteSetting.invite_only?
|
return false if SiteSetting.discourse_connect_url.blank? || SiteSetting.invite_only?
|
||||||
true
|
true
|
||||||
end
|
end
|
||||||
|
|
||||||
def error_message
|
def error_message
|
||||||
return I18n.t('site_settings.errors.sso_url_is_empty') if SiteSetting.sso_url.blank?
|
return I18n.t('site_settings.errors.discourse_connect_url_is_empty') if SiteSetting.discourse_connect_url.blank?
|
||||||
return I18n.t('site_settings.errors.sso_invite_only') if SiteSetting.invite_only?
|
return I18n.t('site_settings.errors.discourse_connect_invite_only') if SiteSetting.invite_only?
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -14,7 +14,7 @@ SiteSetting.refresh!
|
||||||
tests = [
|
tests = [
|
||||||
["current cache", lambda do
|
["current cache", lambda do
|
||||||
SiteSetting.title
|
SiteSetting.title
|
||||||
SiteSetting.enable_sso
|
SiteSetting.enable_discourse_connect
|
||||||
end
|
end
|
||||||
],
|
],
|
||||||
["change default locale with current cache refreshed", lambda do
|
["change default locale with current cache refreshed", lambda do
|
||||||
|
|
|
@ -13,7 +13,7 @@ require File.expand_path('../../../../config/environment', __FILE__)
|
||||||
|
|
||||||
# warming up
|
# warming up
|
||||||
SiteSetting.title
|
SiteSetting.title
|
||||||
SiteSetting.enable_sso
|
SiteSetting.enable_discourse_connect
|
||||||
SiteSetting.default_locale = SiteSetting.default_locale == 'en' ? 'zh_CN' : 'en'
|
SiteSetting.default_locale = SiteSetting.default_locale == 'en' ? 'zh_CN' : 'en'
|
||||||
SiteSetting.title = SecureRandom.hex
|
SiteSetting.title = SecureRandom.hex
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ profile do
|
||||||
end
|
end
|
||||||
|
|
||||||
profile do
|
profile do
|
||||||
SiteSetting.enable_sso
|
SiteSetting.enable_discourse_connect
|
||||||
end
|
end
|
||||||
|
|
||||||
profile do
|
profile do
|
||||||
|
|
|
@ -138,8 +138,8 @@ describe ComposerMessagesFinder do
|
||||||
expect(finder.check_avatar_notification).to be_blank
|
expect(finder.check_avatar_notification).to be_blank
|
||||||
end
|
end
|
||||||
|
|
||||||
it "doesn't notify users if 'sso_overrides_avatar' setting is enabled" do
|
it "doesn't notify users if 'discourse_connect_overrides_avatar' setting is enabled" do
|
||||||
SiteSetting.sso_overrides_avatar = true
|
SiteSetting.discourse_connect_overrides_avatar = true
|
||||||
expect(finder.check_avatar_notification).to be_blank
|
expect(finder.check_avatar_notification).to be_blank
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -111,8 +111,8 @@ RSpec.describe SecondFactorManager do
|
||||||
|
|
||||||
describe 'when SSO is enabled' do
|
describe 'when SSO is enabled' do
|
||||||
it 'should return false' do
|
it 'should return false' do
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
expect(user.totp_enabled?).to eq(false)
|
expect(user.totp_enabled?).to eq(false)
|
||||||
end
|
end
|
||||||
|
@ -437,8 +437,8 @@ RSpec.describe SecondFactorManager do
|
||||||
|
|
||||||
describe 'when SSO is enabled' do
|
describe 'when SSO is enabled' do
|
||||||
it 'should return false' do
|
it 'should return false' do
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
expect(user_backup.backup_codes_enabled?).to eq(false)
|
expect(user_backup.backup_codes_enabled?).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
|
@ -237,8 +237,8 @@ describe UserGuardian do
|
||||||
include_examples "can_delete_user examples"
|
include_examples "can_delete_user examples"
|
||||||
|
|
||||||
it "isn't allowed when SSO is enabled" do
|
it "isn't allowed when SSO is enabled" do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
expect(guardian.can_delete_user?(user)).to eq(false)
|
expect(guardian.can_delete_user?(user)).to eq(false)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -690,8 +690,8 @@ describe Guardian do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns false for all users when sso is enabled' do
|
it 'returns false for all users when sso is enabled' do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_falsey
|
expect(Guardian.new(trust_level_2).can_invite_via_email?(topic)).to be_falsey
|
||||||
expect(Guardian.new(moderator).can_invite_via_email?(topic)).to be_falsey
|
expect(Guardian.new(moderator).can_invite_via_email?(topic)).to be_falsey
|
||||||
|
@ -2714,9 +2714,9 @@ describe Guardian do
|
||||||
|
|
||||||
context 'when SSO username override is active' do
|
context 'when SSO username override is active' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "is false for admins" do
|
it "is false for admins" do
|
||||||
|
@ -2799,9 +2799,9 @@ describe Guardian do
|
||||||
context 'when SSO email override is active' do
|
context 'when SSO email override is active' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "is false for admins" do
|
it "is false for admins" do
|
||||||
|
@ -2878,8 +2878,8 @@ describe Guardian do
|
||||||
|
|
||||||
context 'when SSO is disabled' do
|
context 'when SSO is disabled' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.enable_sso = false
|
SiteSetting.enable_discourse_connect = false
|
||||||
SiteSetting.sso_overrides_name = false
|
SiteSetting.auth_overrides_name = false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'is true for admins' do
|
it 'is true for admins' do
|
||||||
|
@ -2897,13 +2897,13 @@ describe Guardian do
|
||||||
|
|
||||||
context 'when SSO is enabled' do
|
context 'when SSO is enabled' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when SSO name override is active' do
|
context 'when SSO name override is active' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_overrides_name = true
|
SiteSetting.auth_overrides_name = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'is false for admins' do
|
it 'is false for admins' do
|
||||||
|
@ -2921,7 +2921,7 @@ describe Guardian do
|
||||||
|
|
||||||
context 'when SSO name override is not active' do
|
context 'when SSO name override is not active' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_overrides_name = false
|
SiteSetting.auth_overrides_name = false
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'is true for admins' do
|
it 'is true for admins' do
|
||||||
|
|
|
@ -7,8 +7,8 @@ RSpec.describe EnableInviteOnlyValidator do
|
||||||
|
|
||||||
context "when sso is enabled" do
|
context "when sso is enabled" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://example.com/sso"
|
SiteSetting.discourse_connect_url = "https://example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "is valid when false" do
|
it "is valid when false" do
|
||||||
|
@ -18,7 +18,7 @@ RSpec.describe EnableInviteOnlyValidator do
|
||||||
it "is isn't value for true" do
|
it "is isn't value for true" do
|
||||||
expect(subject.valid_value?('t')).to eq(false)
|
expect(subject.valid_value?('t')).to eq(false)
|
||||||
expect(subject.error_message).to eq(I18n.t(
|
expect(subject.error_message).to eq(I18n.t(
|
||||||
'site_settings.errors.sso_invite_only'
|
'site_settings.errors.discourse_connect_invite_only'
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -8,7 +8,7 @@ RSpec.describe EnableSsoValidator do
|
||||||
describe '#valid_value?' do
|
describe '#valid_value?' do
|
||||||
describe "when 'sso url' is empty" do
|
describe "when 'sso url' is empty" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = ""
|
SiteSetting.discourse_connect_url = ""
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'when val is false' do
|
describe 'when val is false' do
|
||||||
|
@ -22,7 +22,7 @@ RSpec.describe EnableSsoValidator do
|
||||||
expect(subject.valid_value?('t')).to eq(false)
|
expect(subject.valid_value?('t')).to eq(false)
|
||||||
|
|
||||||
expect(subject.error_message).to eq(I18n.t(
|
expect(subject.error_message).to eq(I18n.t(
|
||||||
'site_settings.errors.sso_url_is_empty'
|
'site_settings.errors.discourse_connect_url_is_empty'
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -31,7 +31,7 @@ RSpec.describe EnableSsoValidator do
|
||||||
describe "when invite_only is set" do
|
describe "when invite_only is set" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.invite_only = true
|
SiteSetting.invite_only = true
|
||||||
SiteSetting.sso_url = 'https://example.com/sso'
|
SiteSetting.discourse_connect_url = 'https://example.com/sso'
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'allows a false value' do
|
it 'allows a false value' do
|
||||||
|
@ -41,14 +41,14 @@ RSpec.describe EnableSsoValidator do
|
||||||
it "doesn't allow true" do
|
it "doesn't allow true" do
|
||||||
expect(subject.valid_value?('t')).to eq(false)
|
expect(subject.valid_value?('t')).to eq(false)
|
||||||
expect(subject.error_message).to eq(I18n.t(
|
expect(subject.error_message).to eq(I18n.t(
|
||||||
'site_settings.errors.sso_invite_only'
|
'site_settings.errors.discourse_connect_invite_only'
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "when 'sso url' is present" do
|
describe "when 'sso url' is present" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'when value is false' do
|
describe 'when value is false' do
|
||||||
|
|
|
@ -8,8 +8,8 @@ RSpec.describe SsoOverridesEmailValidator do
|
||||||
describe '#valid_value?' do
|
describe '#valid_value?' do
|
||||||
describe "when 'email editable' is true" do
|
describe "when 'email editable' is true" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.email_editable = true
|
SiteSetting.email_editable = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -32,8 +32,8 @@ RSpec.describe SsoOverridesEmailValidator do
|
||||||
|
|
||||||
describe "when 'email editable' is false" do
|
describe "when 'email editable' is false" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -210,8 +210,8 @@ describe Jobs::ExportCsvFile do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'exports sso data' do
|
it 'exports sso data' do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user)
|
||||||
user.user_profile.update_column(:location, "La,La Land")
|
user.user_profile.update_column(:location, "La,La Land")
|
||||||
user.create_single_sign_on_record(external_id: "123", last_payload: "xxx", external_email: 'test@test.com')
|
user.create_single_sign_on_record(external_id: "123", last_payload: "xxx", external_email: 'test@test.com')
|
||||||
|
|
|
@ -151,10 +151,10 @@ describe SiteSettings::Validations do
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when SSO is enabled" do
|
context "when SSO is enabled" do
|
||||||
let(:error_message) { I18n.t("errors.site_settings.second_factor_cannot_be_enforced_with_sso_enabled") }
|
let(:error_message) { I18n.t("errors.site_settings.second_factor_cannot_be_enforced_with_discourse_connect_enabled") }
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should raise an error" do
|
it "should raise an error" do
|
||||||
|
|
|
@ -4,12 +4,12 @@ require "rails_helper"
|
||||||
|
|
||||||
describe DiscourseSingleSignOn do
|
describe DiscourseSingleSignOn do
|
||||||
before do
|
before do
|
||||||
@sso_url = "http://example.com/discourse_sso"
|
@discourse_connect_url = "http://example.com/discourse_sso"
|
||||||
@sso_secret = "shjkfdhsfkjh"
|
@discourse_connect_secret = "shjkfdhsfkjh"
|
||||||
|
|
||||||
SiteSetting.sso_url = @sso_url
|
SiteSetting.discourse_connect_url = @discourse_connect_url
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_secret = @sso_secret
|
SiteSetting.discourse_connect_secret = @discourse_connect_secret
|
||||||
Jobs.run_immediately!
|
Jobs.run_immediately!
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -114,7 +114,7 @@ describe DiscourseSingleSignOn do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "unstaged users" do
|
it "unstaged users" do
|
||||||
SiteSetting.sso_overrides_name = true
|
SiteSetting.auth_overrides_name = true
|
||||||
|
|
||||||
email = "staged@user.com"
|
email = "staged@user.com"
|
||||||
Fabricate(:user, staged: true, email: email)
|
Fabricate(:user, staged: true, email: email)
|
||||||
|
@ -195,7 +195,7 @@ describe DiscourseSingleSignOn do
|
||||||
sso.groups = "#{group2.name.capitalize},group4,badname,trust_level_4"
|
sso.groups = "#{group2.name.capitalize},group4,badname,trust_level_4"
|
||||||
sso.lookup_or_create_user(ip_address)
|
sso.lookup_or_create_user(ip_address)
|
||||||
|
|
||||||
SiteSetting.sso_overrides_groups = true
|
SiteSetting.discourse_connect_overrides_groups = true
|
||||||
|
|
||||||
group1.reload
|
group1.reload
|
||||||
expect(group1.usernames).to eq("")
|
expect(group1.usernames).to eq("")
|
||||||
|
@ -260,7 +260,7 @@ describe DiscourseSingleSignOn do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'can override username properly when only the case changes' do
|
it 'can override username properly when only the case changes' do
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
|
|
||||||
sso = DiscourseSingleSignOn.new
|
sso = DiscourseSingleSignOn.new
|
||||||
sso.username = "testuser"
|
sso.username = "testuser"
|
||||||
|
@ -280,8 +280,8 @@ describe DiscourseSingleSignOn do
|
||||||
expect(user.username).to eq "TestUser"
|
expect(user.username).to eq "TestUser"
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'behaves properly when sso_overrides_username is set but username is missing or blank' do
|
it 'behaves properly when auth_overrides_username is set but username is missing or blank' do
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
|
|
||||||
sso = DiscourseSingleSignOn.new
|
sso = DiscourseSingleSignOn.new
|
||||||
sso.username = "testuser"
|
sso.username = "testuser"
|
||||||
|
@ -310,9 +310,9 @@ describe DiscourseSingleSignOn do
|
||||||
admin = Fabricate(:admin)
|
admin = Fabricate(:admin)
|
||||||
|
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_name = true
|
SiteSetting.auth_overrides_name = true
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
|
|
||||||
sso = DiscourseSingleSignOn.new
|
sso = DiscourseSingleSignOn.new
|
||||||
sso.username = "bob%the$admin"
|
sso.username = "bob%the$admin"
|
||||||
|
@ -378,7 +378,7 @@ describe DiscourseSingleSignOn do
|
||||||
|
|
||||||
it "generates a correct sso url" do
|
it "generates a correct sso url" do
|
||||||
url, payload = DiscourseSingleSignOn.generate_url.split("?")
|
url, payload = DiscourseSingleSignOn.generate_url.split("?")
|
||||||
expect(url).to eq @sso_url
|
expect(url).to eq @discourse_connect_url
|
||||||
|
|
||||||
sso = DiscourseSingleSignOn.parse(payload)
|
sso = DiscourseSingleSignOn.parse(payload)
|
||||||
expect(sso.nonce).to_not be_nil
|
expect(sso.nonce).to_not be_nil
|
||||||
|
@ -447,7 +447,7 @@ describe DiscourseSingleSignOn do
|
||||||
|
|
||||||
it 'does not deactivate user if email provided is capitalized' do
|
it 'does not deactivate user if email provided is capitalized' do
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
sso.require_activation = true
|
sso.require_activation = true
|
||||||
|
|
||||||
user = sso.lookup_or_create_user(ip_address)
|
user = sso.lookup_or_create_user(ip_address)
|
||||||
|
@ -465,7 +465,7 @@ describe DiscourseSingleSignOn do
|
||||||
it 'deactivates accounts that have updated email address' do
|
it 'deactivates accounts that have updated email address' do
|
||||||
|
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
sso.require_activation = true
|
sso.require_activation = true
|
||||||
|
|
||||||
user = sso.lookup_or_create_user(ip_address)
|
user = sso.lookup_or_create_user(ip_address)
|
||||||
|
@ -567,7 +567,7 @@ describe DiscourseSingleSignOn do
|
||||||
|
|
||||||
# yes override if site setting
|
# yes override if site setting
|
||||||
sso.bio = "new profile 2"
|
sso.bio = "new profile 2"
|
||||||
SiteSetting.sso_overrides_bio = true
|
SiteSetting.discourse_connect_overrides_bio = true
|
||||||
|
|
||||||
user = sso.lookup_or_create_user(ip_address)
|
user = sso.lookup_or_create_user(ip_address)
|
||||||
expect(user.user_profile.bio_cooked).to match_html("<p>new profile 2</p")
|
expect(user.user_profile.bio_cooked).to match_html("<p>new profile 2</p")
|
||||||
|
@ -575,7 +575,7 @@ describe DiscourseSingleSignOn do
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when sso_overrides_avatar is not enabled' do
|
context 'when discourse_connect_overrides_avatar is not enabled' do
|
||||||
|
|
||||||
it "correctly handles provided avatar_urls" do
|
it "correctly handles provided avatar_urls" do
|
||||||
sso = DiscourseSingleSignOn.new
|
sso = DiscourseSingleSignOn.new
|
||||||
|
@ -635,7 +635,7 @@ describe DiscourseSingleSignOn do
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when sso_overrides_avatar is enabled' do
|
context 'when discourse_connect_overrides_avatar is enabled' do
|
||||||
fab!(:sso_record) { Fabricate(:single_sign_on_record, external_avatar_url: "http://example.com/an_image.png") }
|
fab!(:sso_record) { Fabricate(:single_sign_on_record, external_avatar_url: "http://example.com/an_image.png") }
|
||||||
|
|
||||||
let!(:sso) {
|
let!(:sso) {
|
||||||
|
@ -650,7 +650,7 @@ describe DiscourseSingleSignOn do
|
||||||
let(:logo) { file_from_fixtures("logo.png") }
|
let(:logo) { file_from_fixtures("logo.png") }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_overrides_avatar = true
|
SiteSetting.discourse_connect_overrides_avatar = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "deal with no avatar url passed for an existing user with an avatar" do
|
it "deal with no avatar url passed for an existing user with an avatar" do
|
||||||
|
@ -683,7 +683,7 @@ describe DiscourseSingleSignOn do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when sso_overrides_profile_background is not enabled' do
|
context 'when discourse_connect_overrides_profile_background is not enabled' do
|
||||||
|
|
||||||
it "correctly handles provided profile_background_urls" do
|
it "correctly handles provided profile_background_urls" do
|
||||||
sso = DiscourseSingleSignOn.new
|
sso = DiscourseSingleSignOn.new
|
||||||
|
@ -715,7 +715,7 @@ describe DiscourseSingleSignOn do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when sso_overrides_profile_background is enabled' do
|
context 'when discourse_connect_overrides_profile_background is enabled' do
|
||||||
fab!(:sso_record) { Fabricate(:single_sign_on_record, external_profile_background_url: "http://example.com/an_image.png") }
|
fab!(:sso_record) { Fabricate(:single_sign_on_record, external_profile_background_url: "http://example.com/an_image.png") }
|
||||||
|
|
||||||
let!(:sso) {
|
let!(:sso) {
|
||||||
|
@ -730,7 +730,7 @@ describe DiscourseSingleSignOn do
|
||||||
let(:logo) { file_from_fixtures("logo.png") }
|
let(:logo) { file_from_fixtures("logo.png") }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_overrides_profile_background = true
|
SiteSetting.discourse_connect_overrides_profile_background = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "deal with no profile_background_url passed for an existing user with a profile_background" do
|
it "deal with no profile_background_url passed for an existing user with a profile_background" do
|
||||||
|
@ -755,7 +755,7 @@ describe DiscourseSingleSignOn do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when sso_overrides_card_background is not enabled' do
|
context 'when discourse_connect_overrides_card_background is not enabled' do
|
||||||
|
|
||||||
it "correctly handles provided card_background_urls" do
|
it "correctly handles provided card_background_urls" do
|
||||||
sso = DiscourseSingleSignOn.new
|
sso = DiscourseSingleSignOn.new
|
||||||
|
@ -787,7 +787,7 @@ describe DiscourseSingleSignOn do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when sso_overrides_card_background is enabled' do
|
context 'when discourse_connect_overrides_card_background is enabled' do
|
||||||
fab!(:sso_record) { Fabricate(:single_sign_on_record, external_card_background_url: "http://example.com/an_image.png") }
|
fab!(:sso_record) { Fabricate(:single_sign_on_record, external_card_background_url: "http://example.com/an_image.png") }
|
||||||
|
|
||||||
let!(:sso) {
|
let!(:sso) {
|
||||||
|
@ -802,7 +802,7 @@ describe DiscourseSingleSignOn do
|
||||||
let(:logo) { file_from_fixtures("logo.png") }
|
let(:logo) { file_from_fixtures("logo.png") }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_overrides_card_background = true
|
SiteSetting.discourse_connect_overrides_card_background = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "deal with no card_background_url passed for an existing user with a card_background" do
|
it "deal with no card_background_url passed for an existing user with a card_background" do
|
||||||
|
|
|
@ -57,7 +57,7 @@ describe Invite do
|
||||||
|
|
||||||
invite = Fabricate.build(:invite, email: "test@mail.com")
|
invite = Fabricate.build(:invite, email: "test@mail.com")
|
||||||
expect(invite).not_to be_valid
|
expect(invite).not_to be_valid
|
||||||
expect(invite.errors.details[:email].first[:error]).to eq(I18n.t("invite.disabled_errors.sso_enabled"))
|
expect(invite.errors.details[:email].first[:error]).to eq(I18n.t("invite.disabled_errors.discourse_connect_enabled"))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -862,12 +862,12 @@ RSpec.describe Admin::UsersController do
|
||||||
|
|
||||||
before do
|
before do
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
SiteSetting.sso_overrides_name = true
|
SiteSetting.auth_overrides_name = true
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
SiteSetting.sso_secret = sso_secret
|
SiteSetting.discourse_connect_secret = sso_secret
|
||||||
sso.sso_secret = sso_secret
|
sso.sso_secret = sso_secret
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -924,7 +924,7 @@ RSpec.describe Admin::UsersController do
|
||||||
correct_payload = Rack::Utils.parse_query(sso.payload)
|
correct_payload = Rack::Utils.parse_query(sso.payload)
|
||||||
post "/admin/users/sync_sso.json", params: correct_payload.merge(sig: "someincorrectsignature")
|
post "/admin/users/sync_sso.json", params: correct_payload.merge(sig: "someincorrectsignature")
|
||||||
expect(response.status).to eq(422)
|
expect(response.status).to eq(422)
|
||||||
expect(response.parsed_body["message"]).to include(I18n.t('sso.login_error'))
|
expect(response.parsed_body["message"]).to include(I18n.t('discourse_connect.login_error'))
|
||||||
expect(response.parsed_body["message"]).not_to include(correct_payload["sig"])
|
expect(response.parsed_body["message"]).not_to include(correct_payload["sig"])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -935,7 +935,7 @@ RSpec.describe Admin::UsersController do
|
||||||
sso.external_id = ""
|
sso.external_id = ""
|
||||||
post "/admin/users/sync_sso.json", params: Rack::Utils.parse_query(sso.payload)
|
post "/admin/users/sync_sso.json", params: Rack::Utils.parse_query(sso.payload)
|
||||||
expect(response.status).to eq(422)
|
expect(response.status).to eq(422)
|
||||||
expect(response.parsed_body["message"]).to include(I18n.t('sso.blank_id_error'))
|
expect(response.parsed_body["message"]).to include(I18n.t('discourse_connect.blank_id_error'))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -1094,8 +1094,8 @@ RSpec.describe Admin::UsersController do
|
||||||
fab!(:sso_record) { SingleSignOnRecord.create!(user_id: user.id, external_id: '12345', external_email: user.email, last_payload: '') }
|
fab!(:sso_record) { SingleSignOnRecord.create!(user_id: user.id, external_id: '12345', external_email: user.email, last_payload: '') }
|
||||||
|
|
||||||
it "deletes the record" do
|
it "deletes the record" do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
delete "/admin/users/#{user.id}/sso_record.json"
|
delete "/admin/users/#{user.id}/sso_record.json"
|
||||||
expect(response.status).to eq(200)
|
expect(response.status).to eq(200)
|
||||||
|
|
|
@ -96,8 +96,8 @@ describe 'users' do
|
||||||
let(:external_id) { '1' }
|
let(:external_id) { '1' }
|
||||||
|
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
user.create_single_sign_on_record(external_id: '1', last_payload: '')
|
user.create_single_sign_on_record(external_id: '1', last_payload: '')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -22,8 +22,8 @@ RSpec.describe ApplicationController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should redirect to SSO if enabled" do
|
it "should redirect to SSO if enabled" do
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
get "/"
|
get "/"
|
||||||
expect(response).to redirect_to("/session/sso")
|
expect(response).to redirect_to("/session/sso")
|
||||||
end
|
end
|
||||||
|
@ -45,17 +45,17 @@ RSpec.describe ApplicationController do
|
||||||
expect(response).to redirect_to("/login")
|
expect(response).to redirect_to("/login")
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not redirect to SSO when external_auth_immediately is disabled" do
|
it "should not redirect to SSO when auth_immediately is disabled" do
|
||||||
SiteSetting.external_auth_immediately = false
|
SiteSetting.auth_immediately = false
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
get "/"
|
get "/"
|
||||||
expect(response).to redirect_to("/login")
|
expect(response).to redirect_to("/login")
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should not redirect to authenticator when external_auth_immediately is disabled" do
|
it "should not redirect to authenticator when auth_immediately is disabled" do
|
||||||
SiteSetting.external_auth_immediately = false
|
SiteSetting.auth_immediately = false
|
||||||
SiteSetting.enable_google_oauth2_logins = true
|
SiteSetting.enable_google_oauth2_logins = true
|
||||||
SiteSetting.enable_local_logins = false
|
SiteSetting.enable_local_logins = false
|
||||||
|
|
||||||
|
|
|
@ -444,8 +444,8 @@ describe InvitesController do
|
||||||
|
|
||||||
it "does not send password reset email if sso is enabled" do
|
it "does not send password reset email if sso is enabled" do
|
||||||
invite # create the invite before enabling SSO
|
invite # create the invite before enabling SSO
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
put "/invites/show/#{invite.invite_key}.json"
|
put "/invites/show/#{invite.invite_key}.json"
|
||||||
expect(response.status).to eq(200)
|
expect(response.status).to eq(200)
|
||||||
|
|
||||||
|
|
|
@ -351,9 +351,9 @@ RSpec.describe Users::OmniauthCallbacksController do
|
||||||
|
|
||||||
it "should update name/username/email when sso_overrides is enabled" do
|
it "should update name/username/email when sso_overrides is enabled" do
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
SiteSetting.sso_overrides_name = true
|
SiteSetting.auth_overrides_name = true
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
|
|
||||||
UserAssociatedAccount.create!(provider_name: "google_oauth2", user_id: user.id, provider_uid: '123545')
|
UserAssociatedAccount.create!(provider_name: "google_oauth2", user_id: user.id, provider_uid: '123545')
|
||||||
|
|
||||||
|
@ -371,7 +371,7 @@ RSpec.describe Users::OmniauthCallbacksController do
|
||||||
|
|
||||||
it "will not update email if not verified" do
|
it "will not update email if not verified" do
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
|
|
||||||
OmniAuth.config.mock_auth[:google_oauth2][:extra][:raw_info][:email_verified] = false
|
OmniAuth.config.mock_auth[:google_oauth2][:extra][:raw_info][:email_verified] = false
|
||||||
|
|
||||||
|
@ -387,9 +387,9 @@ RSpec.describe Users::OmniauthCallbacksController do
|
||||||
expect(user.email).to eq('email@example.com')
|
expect(user.email).to eq('email@example.com')
|
||||||
end
|
end
|
||||||
|
|
||||||
it "shows error when sso_overrides_email causes a validation error" do
|
it "shows error when auth_overrides_email causes a validation error" do
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
|
|
||||||
UserAssociatedAccount.create!(provider_name: "google_oauth2", user_id: user.id, provider_uid: '123545')
|
UserAssociatedAccount.create!(provider_name: "google_oauth2", user_id: user.id, provider_uid: '123545')
|
||||||
|
|
||||||
|
@ -454,12 +454,12 @@ RSpec.describe Users::OmniauthCallbacksController do
|
||||||
|
|
||||||
context 'when sso_payload cookie exist' do
|
context 'when sso_payload cookie exist' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.enable_sso_provider = true
|
SiteSetting.enable_discourse_connect_provider = true
|
||||||
SiteSetting.sso_secret = "topsecret"
|
SiteSetting.discourse_connect_secret = "topsecret"
|
||||||
|
|
||||||
@sso = SingleSignOn.new
|
@sso = SingleSignOn.new
|
||||||
@sso.nonce = "mynonce"
|
@sso.nonce = "mynonce"
|
||||||
@sso.sso_secret = SiteSetting.sso_secret
|
@sso.sso_secret = SiteSetting.discourse_connect_secret
|
||||||
@sso.return_sso_url = "http://somewhere.over.rainbow/sso"
|
@sso.return_sso_url = "http://somewhere.over.rainbow/sso"
|
||||||
cookies[:sso_payload] = @sso.payload
|
cookies[:sso_payload] = @sso.payload
|
||||||
|
|
||||||
|
|
|
@ -35,8 +35,8 @@ RSpec.describe SessionController do
|
||||||
|
|
||||||
context "when SSO enabled" do
|
context "when SSO enabled" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it "only works for admins" do
|
it "only works for admins" do
|
||||||
|
@ -508,9 +508,9 @@ RSpec.describe SessionController do
|
||||||
@sso_url = "http://example.com/discourse_sso"
|
@sso_url = "http://example.com/discourse_sso"
|
||||||
@sso_secret = "shjkfdhsfkjh"
|
@sso_secret = "shjkfdhsfkjh"
|
||||||
|
|
||||||
SiteSetting.sso_url = @sso_url
|
SiteSetting.discourse_connect_url = @sso_url
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_secret = @sso_secret
|
SiteSetting.discourse_connect_secret = @sso_secret
|
||||||
|
|
||||||
Fabricate(:admin)
|
Fabricate(:admin)
|
||||||
end
|
end
|
||||||
|
@ -577,7 +577,7 @@ RSpec.describe SessionController do
|
||||||
|
|
||||||
expect(messages.length).to eq(0)
|
expect(messages.length).to eq(0)
|
||||||
expect(response.status).to eq(500)
|
expect(response.status).to eq(500)
|
||||||
expect(response.body).to include(I18n.t('sso.blank_id_error'))
|
expect(response.body).to include(I18n.t('discourse_connect.blank_id_error'))
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'can handle invalid sso email validation errors' do
|
it 'can handle invalid sso email validation errors' do
|
||||||
|
@ -593,7 +593,7 @@ RSpec.describe SessionController do
|
||||||
|
|
||||||
expect(messages.length).to eq(0)
|
expect(messages.length).to eq(0)
|
||||||
expect(response.status).to eq(500)
|
expect(response.status).to eq(500)
|
||||||
expect(response.body).to include(I18n.t("sso.email_error", email: ERB::Util.html_escape("test@test.com")))
|
expect(response.body).to include(I18n.t("discourse_connect.email_error", email: ERB::Util.html_escape("test@test.com")))
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'can handle invalid sso external ids due to banned word' do
|
it 'can handle invalid sso external ids due to banned word' do
|
||||||
|
@ -628,7 +628,7 @@ RSpec.describe SessionController do
|
||||||
sign_out
|
sign_out
|
||||||
|
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
|
|
||||||
group = Fabricate(:group, name: :bob, automatic_membership_email_domains: 'jane.com')
|
group = Fabricate(:group, name: :bob, automatic_membership_email_domains: 'jane.com')
|
||||||
sso = get_sso("/")
|
sso = get_sso("/")
|
||||||
|
@ -731,7 +731,7 @@ RSpec.describe SessionController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'redirects to random url if it is allowed' do
|
it 'redirects to random url if it is allowed' do
|
||||||
SiteSetting.sso_allows_all_return_paths = true
|
SiteSetting.discourse_connect_allows_all_return_paths = true
|
||||||
|
|
||||||
sso = get_sso('https://gusundtrout.com')
|
sso = get_sso('https://gusundtrout.com')
|
||||||
sso.external_id = '666' # the number of the beast
|
sso.external_id = '666' # the number of the beast
|
||||||
|
@ -879,8 +879,8 @@ RSpec.describe SessionController do
|
||||||
|
|
||||||
context "when sso provider is enabled" do
|
context "when sso provider is enabled" do
|
||||||
before do
|
before do
|
||||||
SiteSetting.enable_sso_provider = true
|
SiteSetting.enable_discourse_connect_provider = true
|
||||||
SiteSetting.sso_provider_secrets = [
|
SiteSetting.discourse_connect_provider_secrets = [
|
||||||
"*|secret,forAll",
|
"*|secret,forAll",
|
||||||
"*.rainbow|wrongSecretForOverRainbow",
|
"*.rainbow|wrongSecretForOverRainbow",
|
||||||
"www.random.site|secretForRandomSite",
|
"www.random.site|secretForRandomSite",
|
||||||
|
@ -932,9 +932,9 @@ RSpec.describe SessionController do
|
||||||
describe 'local attribute override from SSO payload' do
|
describe 'local attribute override from SSO payload' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.email_editable = false
|
SiteSetting.email_editable = false
|
||||||
SiteSetting.sso_overrides_email = true
|
SiteSetting.auth_overrides_email = true
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
SiteSetting.sso_overrides_name = true
|
SiteSetting.auth_overrides_name = true
|
||||||
|
|
||||||
@user = Fabricate(:user)
|
@user = Fabricate(:user)
|
||||||
|
|
||||||
|
@ -994,10 +994,10 @@ RSpec.describe SessionController do
|
||||||
body: lambda { |request| file_from_fixtures("logo.png") }
|
body: lambda { |request| file_from_fixtures("logo.png") }
|
||||||
)
|
)
|
||||||
|
|
||||||
SiteSetting.enable_sso_provider = true
|
SiteSetting.enable_discourse_connect_provider = true
|
||||||
SiteSetting.enable_sso = false
|
SiteSetting.enable_discourse_connect = false
|
||||||
SiteSetting.enable_local_logins = true
|
SiteSetting.enable_local_logins = true
|
||||||
SiteSetting.sso_provider_secrets = [
|
SiteSetting.discourse_connect_provider_secrets = [
|
||||||
"*|secret,forAll",
|
"*|secret,forAll",
|
||||||
"*.rainbow|wrongSecretForOverRainbow",
|
"*.rainbow|wrongSecretForOverRainbow",
|
||||||
"www.random.site|secretForRandomSite",
|
"www.random.site|secretForRandomSite",
|
||||||
|
@ -1062,17 +1062,17 @@ RSpec.describe SessionController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "fails with a nice error message if secret is blank" do
|
it "fails with a nice error message if secret is blank" do
|
||||||
SiteSetting.sso_provider_secrets = ""
|
SiteSetting.discourse_connect_provider_secrets = ""
|
||||||
sso = SingleSignOnProvider.new
|
sso = SingleSignOnProvider.new
|
||||||
sso.nonce = "mynonce"
|
sso.nonce = "mynonce"
|
||||||
sso.return_sso_url = "http://website.without.secret.com/sso"
|
sso.return_sso_url = "http://website.without.secret.com/sso"
|
||||||
get "/session/sso_provider", params: Rack::Utils.parse_query(sso.payload("aasdasdasd"))
|
get "/session/sso_provider", params: Rack::Utils.parse_query(sso.payload("aasdasdasd"))
|
||||||
expect(response.status).to eq(400)
|
expect(response.status).to eq(400)
|
||||||
expect(response.body).to eq(I18n.t("sso.missing_secret"))
|
expect(response.body).to eq(I18n.t("discourse_connect.missing_secret"))
|
||||||
end
|
end
|
||||||
|
|
||||||
it "returns a 422 if no return_sso_url" do
|
it "returns a 422 if no return_sso_url" do
|
||||||
SiteSetting.sso_provider_secrets = "abcdefghij"
|
SiteSetting.discourse_connect_provider_secrets = "abcdefghij"
|
||||||
sso = SingleSignOnProvider.new
|
sso = SingleSignOnProvider.new
|
||||||
get "/session/sso_provider?sso=asdf&sig=abcdefghij"
|
get "/session/sso_provider?sso=asdf&sig=abcdefghij"
|
||||||
expect(response.status).to eq(422)
|
expect(response.status).to eq(422)
|
||||||
|
@ -1206,8 +1206,8 @@ RSpec.describe SessionController do
|
||||||
|
|
||||||
context 'SSO is enabled' do
|
context 'SSO is enabled' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
post "/session.json", params: {
|
post "/session.json", params: {
|
||||||
login: user.username, password: 'myawesomepassword'
|
login: user.username, password: 'myawesomepassword'
|
||||||
|
@ -1810,8 +1810,8 @@ RSpec.describe SessionController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'redirects to /login when SSO and login_required' do
|
it 'redirects to /login when SSO and login_required' do
|
||||||
SiteSetting.sso_url = "https://example.com/sso"
|
SiteSetting.discourse_connect_url = "https://example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
user = sign_in(Fabricate(:user))
|
user = sign_in(Fabricate(:user))
|
||||||
delete "/session/#{user.username}.json", xhr: true
|
delete "/session/#{user.username}.json", xhr: true
|
||||||
|
@ -1987,8 +1987,8 @@ RSpec.describe SessionController do
|
||||||
|
|
||||||
context 'SSO is enabled' do
|
context 'SSO is enabled' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
post "/session.json", params: {
|
post "/session.json", params: {
|
||||||
login: user.username, password: 'myawesomepassword'
|
login: user.username, password: 'myawesomepassword'
|
||||||
|
|
|
@ -127,8 +127,8 @@ describe UploadsController do
|
||||||
expect(response.status).to eq(422)
|
expect(response.status).to eq(422)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'ensures sso_overrides_avatar is not enabled when uploading an avatar' do
|
it 'ensures discourse_connect_overrides_avatar is not enabled when uploading an avatar' do
|
||||||
SiteSetting.sso_overrides_avatar = true
|
SiteSetting.discourse_connect_overrides_avatar = true
|
||||||
post "/uploads.json", params: { file: logo, type: "avatar" }
|
post "/uploads.json", params: { file: logo, type: "avatar" }
|
||||||
expect(response.status).to eq(422)
|
expect(response.status).to eq(422)
|
||||||
end
|
end
|
||||||
|
|
|
@ -1071,8 +1071,8 @@ describe UsersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "doesn't use provided username/name if sso_overrides is enabled" do
|
it "doesn't use provided username/name if sso_overrides is enabled" do
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
SiteSetting.sso_overrides_name = true
|
SiteSetting.auth_overrides_name = true
|
||||||
post "/u.json", params: {
|
post "/u.json", params: {
|
||||||
username: "attemptednewname",
|
username: "attemptednewname",
|
||||||
name: "Attempt At New Name",
|
name: "Attempt At New Name",
|
||||||
|
@ -1463,17 +1463,17 @@ describe UsersController do
|
||||||
expect(response.parsed_body['username']).to eq(new_username)
|
expect(response.parsed_body['username']).to eq(new_username)
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'should respond with proper error message if sso_overrides_username is enabled' do
|
it 'should respond with proper error message if auth_overrides_username is enabled' do
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_overrides_username = true
|
SiteSetting.auth_overrides_username = true
|
||||||
acting_user = Fabricate(:admin)
|
acting_user = Fabricate(:admin)
|
||||||
sign_in(acting_user)
|
sign_in(acting_user)
|
||||||
|
|
||||||
put "/u/#{user.username}/preferences/username.json", params: { new_username: new_username }
|
put "/u/#{user.username}/preferences/username.json", params: { new_username: new_username }
|
||||||
|
|
||||||
expect(response.status).to eq(422)
|
expect(response.status).to eq(422)
|
||||||
expect(response.parsed_body['errors'].first).to include(I18n.t('errors.messages.sso_overrides_username'))
|
expect(response.parsed_body['errors'].first).to include(I18n.t('errors.messages.auth_overrides_username'))
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -2343,8 +2343,8 @@ describe UsersController do
|
||||||
expect(response).to be_forbidden
|
expect(response).to be_forbidden
|
||||||
end
|
end
|
||||||
|
|
||||||
it "raises an error when sso_overrides_avatar is disabled" do
|
it "raises an error when discourse_connect_overrides_avatar is disabled" do
|
||||||
SiteSetting.sso_overrides_avatar = true
|
SiteSetting.discourse_connect_overrides_avatar = true
|
||||||
put "/u/#{user.username}/preferences/avatar/pick.json", params: {
|
put "/u/#{user.username}/preferences/avatar/pick.json", params: {
|
||||||
upload_id: upload.id, type: "custom"
|
upload_id: upload.id, type: "custom"
|
||||||
}
|
}
|
||||||
|
@ -3972,8 +3972,8 @@ describe UsersController do
|
||||||
|
|
||||||
describe 'when SSO is enabled' do
|
describe 'when SSO is enabled' do
|
||||||
it 'should return the right response' do
|
it 'should return the right response' do
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
post "/users/create_second_factor_totp.json"
|
post "/users/create_second_factor_totp.json"
|
||||||
|
|
||||||
|
@ -4204,8 +4204,8 @@ describe UsersController do
|
||||||
|
|
||||||
describe 'when SSO is enabled' do
|
describe 'when SSO is enabled' do
|
||||||
it 'should return the right response' do
|
it 'should return the right response' do
|
||||||
SiteSetting.sso_url = 'http://someurl.com'
|
SiteSetting.discourse_connect_url = 'http://someurl.com'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
|
|
||||||
put "/users/second_factors_backup.json"
|
put "/users/second_factors_backup.json"
|
||||||
|
|
||||||
|
@ -4479,8 +4479,8 @@ describe UsersController do
|
||||||
|
|
||||||
context 'when SSO is enabled' do
|
context 'when SSO is enabled' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.sso_url = 'https://discourse.test/sso'
|
SiteSetting.discourse_connect_url = 'https://discourse.test/sso'
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'does not allow access' do
|
it 'does not allow access' do
|
||||||
|
@ -4503,7 +4503,7 @@ describe UsersController do
|
||||||
context 'when the site settings allow second factors' do
|
context 'when the site settings allow second factors' do
|
||||||
before do
|
before do
|
||||||
SiteSetting.enable_local_logins = true
|
SiteSetting.enable_local_logins = true
|
||||||
SiteSetting.enable_sso = false
|
SiteSetting.enable_discourse_connect = false
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when the password parameter is not provided' do
|
context 'when the password parameter is not provided' do
|
||||||
|
|
|
@ -27,9 +27,9 @@ RSpec.describe CurrentUserSerializer do
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should include the external_id" do
|
it "should include the external_id" do
|
||||||
SiteSetting.sso_url = "http://example.com/discourse_sso"
|
SiteSetting.discourse_connect_url = "http://example.com/discourse_sso"
|
||||||
SiteSetting.sso_secret = "12345678910"
|
SiteSetting.discourse_connect_secret = "12345678910"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
payload = serializer.as_json
|
payload = serializer.as_json
|
||||||
expect(payload[:external_id]).to eq("12345")
|
expect(payload[:external_id]).to eq("12345")
|
||||||
end
|
end
|
||||||
|
|
|
@ -29,9 +29,9 @@ describe NotificationSerializer do
|
||||||
let(:json) { serializer.as_json }
|
let(:json) { serializer.as_json }
|
||||||
|
|
||||||
it "should include the external_id" do
|
it "should include the external_id" do
|
||||||
SiteSetting.sso_url = "http://example.com/discourse_sso"
|
SiteSetting.discourse_connect_url = "http://example.com/discourse_sso"
|
||||||
SiteSetting.sso_secret = "12345678910"
|
SiteSetting.discourse_connect_secret = "12345678910"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
expect(json[:notification][:external_id]).to eq("12345")
|
expect(json[:notification][:external_id]).to eq("12345")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -11,13 +11,13 @@ describe SiteSettingsTask do
|
||||||
describe 'export' do
|
describe 'export' do
|
||||||
it 'creates a hash of all site settings' do
|
it 'creates a hash of all site settings' do
|
||||||
sso_url = "https://somewhere.over.com"
|
sso_url = "https://somewhere.over.com"
|
||||||
SiteSetting.sso_url = sso_url
|
SiteSetting.discourse_connect_url = sso_url
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
hash = SiteSettingsTask.export_to_hash
|
hash = SiteSettingsTask.export_to_hash
|
||||||
|
|
||||||
expect(hash).to eq(
|
expect(hash).to eq(
|
||||||
"enable_sso" => "true",
|
"enable_discourse_connect" => "true",
|
||||||
"sso_url" => sso_url
|
"discourse_connect_url" => sso_url
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -267,9 +267,9 @@ describe UserUpdater do
|
||||||
|
|
||||||
context 'when sso overrides bio' do
|
context 'when sso overrides bio' do
|
||||||
it 'does not change bio' do
|
it 'does not change bio' do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_overrides_bio = true
|
SiteSetting.discourse_connect_overrides_bio = true
|
||||||
|
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user)
|
||||||
updater = UserUpdater.new(acting_user, user)
|
updater = UserUpdater.new(acting_user, user)
|
||||||
|
@ -283,9 +283,9 @@ describe UserUpdater do
|
||||||
|
|
||||||
context 'when sso overrides location' do
|
context 'when sso overrides location' do
|
||||||
it 'does not change location' do
|
it 'does not change location' do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_overrides_location = true
|
SiteSetting.discourse_connect_overrides_location = true
|
||||||
|
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user)
|
||||||
updater = UserUpdater.new(acting_user, user)
|
updater = UserUpdater.new(acting_user, user)
|
||||||
|
@ -299,9 +299,9 @@ describe UserUpdater do
|
||||||
|
|
||||||
context 'when sso overrides website' do
|
context 'when sso overrides website' do
|
||||||
it 'does not change website' do
|
it 'does not change website' do
|
||||||
SiteSetting.sso_url = "https://www.example.com/sso"
|
SiteSetting.discourse_connect_url = "https://www.example.com/sso"
|
||||||
SiteSetting.enable_sso = true
|
SiteSetting.enable_discourse_connect = true
|
||||||
SiteSetting.sso_overrides_website = true
|
SiteSetting.discourse_connect_overrides_website = true
|
||||||
|
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user)
|
||||||
updater = UserUpdater.new(acting_user, user)
|
updater = UserUpdater.new(acting_user, user)
|
||||||
|
|
Loading…
Reference in New Issue