aces · MontrealSergiy · May 14, 2024 · May 14, 2024 · May 14, 2024 · May 14, 2024
diff --git a/BrainPortal/app/controllers/nh_users_controller.rb b/BrainPortal/app/controllers/nh_users_controller.rb
@@ -67,7 +67,7 @@ def edit #:nodoc:
   def change_password #:nodoc:
     @user = current_user
     if user_must_link_to_oidc?(@user)
-       cb_error "Your account can only authenticate with Globus identities.", :redirect => { :action => :myaccount }
+       cb_error "Your account can only authenticate with OpenID identities (such as Globus).", :redirect => { :action => :myaccount }
     end
   end
 
@@ -87,9 +87,9 @@ def update
     attr_to_update.delete(:zenodo_sandbox_token) if attr_to_update[:zenodo_sandbox_token].blank?
     attr_to_update.delete(:zenodo_main_token)    if attr_to_update[:zenodo_main_token].blank?
 
-    # Do not update password if user must use globus
-    if user_must_link_to_oidc?(@user)
-      flash[:error] = "You cannot change the password for your account." if attr_to_update[:password].present?
+    # Do not update password if user must use globus (or other oidc)
+    if user_must_link_to_oidc?(@user) && attr_to_update[:password].present?
+      flash[:error] = "You cannot change the password for your account because you should use OpenID." if attr_to_update[:password].present?
       attr_to_update.delete(:password)
       attr_to_update.delete(:password_confirmation)
     end

diff --git a/BrainPortal/app/controllers/users_controller.rb b/BrainPortal/app/controllers/users_controller.rb
@@ -386,6 +386,16 @@ def send_password #:nodoc:
     @user = User.where( :login  => params[:login], :email  => params[:email] ).first
 
     if @user
+      if user_must_link_to_oidc?(@user)
+        contact = RemoteResource.current_resource.support_email.presence || User.admin.email.presence || "the support staff"
+        wipe_user_password_after_oidc_link("password-rest", @user)  # for legacy or erroneously set users
+        flash[:error] = "Your account can only authenticate with OpenID identities. Thus you are not allowed to use or reset password. Please contact #{contact} for help."
+        respond_to do |format|
+          format.html { redirect_to login_path }
+          format.any { head :unauthorized }
+        end
+        return
+      end
       if @user.account_locked?
         contact = RemoteResource.current_resource.support_email.presence || User.admin.email.presence || "the support staff"
         flash[:error] = "This account is locked, please write to #{contact} to get this account unlocked."

diff --git a/BrainPortal/lib/globus_helpers.rb b/BrainPortal/lib/globus_helpers.rb
@@ -148,8 +148,9 @@ def user_must_link_to_oidc?(user)
   end
 
   def wipe_user_password_after_oidc_link(oidc, user)
-    user.update_attribute(:crypted_password, "Wiped-By-#{oidc.name}-Link-" + User.random_string)
-    user.update_attribute(:salt            , "Wiped-By-#{oidc.name}-Link-" + User.random_string)
+    wipe_by = oidc.is_a?(String) ? "Wiped-By-#{oidc}-Link-" : "Wiped-By-#{oidc.name}-Link-"
+    user.update_attribute(:crypted_password, wipe_by + User.random_string)
+    user.update_attribute(:salt            , wipe_by + User.random_string)
     user.update_attribute(:password_reset  , false)
   end
 

diff --git a/BrainPortal/spec/controllers/users_controller_spec.rb b/BrainPortal/spec/controllers/users_controller_spec.rb
@@ -228,10 +228,22 @@
           expect(assigns[:user].password).not_to eq(user.password)
         end
 
+        context "when the account must use OIDC identification only" do
+
+          it "should display a message" do
+            allow(mock_user).to receive(:account_locked?).and_return(true)
+            allow(User).to receive_message_chain(:where, :first).and_return(mock_user)
+            post :send_password, params: {:login => user.login, :email => user.email}
+            expect(flash[:error]).to match(/OpenID/i)
+          end
+
+        end
+
         context "when the account is locked" do
 
           it "should display a message" do
             allow(mock_user).to receive(:account_locked?).and_return(true)
+            allow(mock_user).to receive(:meta).and_return({ "allowed_globus_provider_names" => "" })
             allow(User).to receive_message_chain(:where, :first).and_return(mock_user)
             post :send_password, params: {:login => user.login, :email => user.email}
             expect(flash[:error]).to match(/locked/i)
@@ -251,7 +263,11 @@
         context "when reset fails" do
 
           it "should display flash message about problem" do
-            mock_user = mock_model(User, :save => false, :account_locked? => false).as_null_object
+            mock_user = mock_model(User,
+                                   :save => false,
+                                   :account_locked? => false,
+                                   :meta => { "allowed_globus_provider_names" => "" }
+            ).as_null_object
             allow(User).to receive_message_chain(:where, :first).and_return(mock_user)
             post :send_password
             expect(flash[:error]).to match(/^Unable to reset password/)