based implementation to block banned user sso

thewca · Oct 22, 2024 · 4495057 · 4495057
1 parent 44a3ba0
commit 4495057
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 0 deletions.
diff --git a/.env.test b/.env.test
@@ -35,3 +35,4 @@ STAGING_OAUTH_SECRET=example-secret
 AVATARS_PUBLIC_STORAGE=local
 AVATARS_PRIVATE_STORAGE=local_private
 DUMP_HOST=https://assets.worldcubeassociation.org
+BANNED_FORUM_USER_IDS=777777,777778
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -264,6 +264,10 @@ def sso_discourse
     # Note that we do validate emails (as in: users can't log in until they have
     # validated their emails).
 
+    # If a user is banned form the forums, the sso fails
+    banned_ids = EnvConfig.BANNED_FORUM_USER_IDS.split(',').map(&:to_i)
+    return redirect_to new_user_session_path if banned_ids.include?(current_user.id)
+
     # Use the 'SingleSignOn' lib provided by Discourse. Our secret and URL is
     # already configured there.
     sso = SingleSignOn.parse(request.query_string)

diff --git a/env_config.rb b/env_config.rb
@@ -23,6 +23,7 @@
     mandatory :DATABASE_WRT_USER, :string
     optional :PAYPAL_BASE_URL, :string ## TODO: Change to mandatory when launching paypal
     mandatory :WRC_WEBHOOK_URL, :string
+    mandatory :BANNED_FORUM_USER_IDS, :string
 
     # Production-specific stuff
     mandatory :VAULT_ADDR, :string
@@ -53,6 +54,7 @@
     optional :WCA_REGISTRATIONS_POLL_URL, :string, ''
     optional :PAYPAL_BASE_URL, :string, ''
     optional :WRC_WEBHOOK_URL, :string, ''
+    optional :BANNED_FORUM_USER_IDS, :string, ''
 
     # Local-specific stuff
     optional :DISABLE_BULLET, :bool, false

diff --git a/spec/requests/users_spec.rb b/spec/requests/users_spec.rb
@@ -211,6 +211,15 @@
       get "#{sso_discourse_path}?#{sso.payload}"
       expect(response).to redirect_to new_user_session_path
     end
+
+    it 'doesnt authenticate user banned from discourse', :tag do
+      # NOTE: Forum banned status is set in environment variables pending a full implementation
+      user = FactoryBot.create(:user, id: 777_777)
+      sign_in user
+      sso.nonce = 1234
+      get "#{sso_discourse_path}?#{sso.payload}"
+      expect(response).to redirect_to new_user_session_path
+    end
   end
 
   def query_string_from_location(location)