Basic implementation to block banned user Discourse SSO (#10121)

* based implementation to block banned user sso * fixed env variable issues in test * refactored to add a 3rd scope * added i18n key * rubocop * unused i18n key * added starburst
thewca · Oct 29, 2024 · 78e383a · 78e383a
1 parent 2050836
commit 78e383a
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 0 deletions.
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -264,6 +264,11 @@ def sso_discourse
     # Note that we do validate emails (as in: users can't log in until they have
     # validated their emails).
 
+    if current_user.forum_banned?
+      flash[:alert] = I18n.t('registrations.errors.banned_html').html_safe
+      return redirect_to new_user_session_path
+    end
+
     # Use the 'SingleSignOn' lib provided by Discourse. Our secret and URL is
     # already configured there.
     sso = SingleSignOn.parse(request.query_string)

diff --git a/app/models/roles_metadata_banned_competitors.rb b/app/models/roles_metadata_banned_competitors.rb
@@ -4,5 +4,6 @@ class RolesMetadataBannedCompetitors < ApplicationRecord
   enum :scope, {
     competing_only: "competing_only",
     competing_and_attending: "competing_and_attending",
+    competing_and_attending_and_forums: "competing_and_attending_and_forums",
   }
 end
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -505,6 +505,10 @@ def banned?
     group_member?(UserGroup.banned_competitors.first)
   end
 
+  def forum_banned?
+    current_ban&.metadata&.scope == 'competing_and_attending_and_forums'
+  end
+
   def banned_in_past?
     past_roles.any? { |role| role.group == UserGroup.banned_competitors.first }
   end

diff --git a/app/webpacker/components/Panel/pages/BannedCompetitorsPage/BannedCompetitorForm.jsx b/app/webpacker/components/Panel/pages/BannedCompetitorsPage/BannedCompetitorForm.jsx
@@ -14,6 +14,7 @@ const banScopeOptions = Object.keys(banScopes).map((option) => ({
   key: option,
   // i18n-tasks-use t('enums.user_roles.ban_scope.competing_only')
   // i18n-tasks-use t('enums.user_roles.ban_scope.competing_and_attending')
+  // i18n-tasks-use t('enums.user_roles.ban_scope.competing_and_attending_and_forums')
   text: I18n.t(`enums.user_roles.ban_scope.${option}`),
   value: option,
 }));

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -428,6 +428,7 @@ en:
       ban_scope:
         competing_only: "Competing Only"
         competing_and_attending: "Competing & Attending"
+        competing_and_attending_and_forums: "Competing, Attending & Forums"
     competition_medium:
       status:
         accepted: "Accepted"

diff --git a/spec/factories/roles_metadata_banned_competitors.rb b/spec/factories/roles_metadata_banned_competitors.rb
@@ -2,5 +2,7 @@
 
 FactoryBot.define do
   factory :roles_metadata_banned_competitors do
+    ban_reason { 'test banned reason' }
+    scope { RolesMetadataBannedCompetitors.scopes[:competing_and_attending_and_forums] }
   end
 end
diff --git a/spec/factories/user_roles.rb b/spec/factories/user_roles.rb
@@ -190,6 +190,7 @@
 
     trait :banned_competitor do
       group_id { UserGroup.banned_competitors.first.id }
+      metadata { FactoryBot.create(:roles_metadata_banned_competitors) }
     end
 
     factory :probation_role, traits: [:delegate_probation, :active]

diff --git a/spec/requests/users_spec.rb b/spec/requests/users_spec.rb
@@ -211,6 +211,14 @@
       get "#{sso_discourse_path}?#{sso.payload}"
       expect(response).to redirect_to new_user_session_path
     end
+
+    it 'doesnt authenticate user banned from discourse' do
+      user = FactoryBot.create(:user, :banned)
+      sign_in user
+      sso.nonce = 1234
+      get "#{sso_discourse_path}?#{sso.payload}"
+      expect(response).to redirect_to new_user_session_path
+    end
   end
 
   def query_string_from_location(location)