Allow to disable user account creation

jirutka · jirutka · commit a2401a306715 · 2023-04-04T23:18:06.000+02:00
diff --git a/README.rdoc b/README.rdoc
@@ -87,6 +87,8 @@ admin_role::
     +realm_access.roles+.
 
     Example: ROLES/REDMINE/ADMIN
+create_user_if_not_exists::
+    Whether to create a user account for an authenticated user who does not already have one.
 
 
 == Mapping users
diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb
@@ -82,11 +82,17 @@ def login_user
   end
 
   def create_user
-    user = User.create(@oidc_session.user_attributes)
-    user.activate
-    user.random_password
-    user.last_login_on = Time.now
-    user.save ? successful_login(user) : unsuccessful_login(user)
+    if settings.create_user_if_not_exists
+      user = User.create(@oidc_session.user_attributes)
+      user.activate
+      user.random_password
+      user.last_login_on = Time.now
+      user.save ? successful_login(user) : unsuccessful_login(user)
+    else
+      user_id = @oidc_session.user_attributes[:login] || @oidc_session.user_attributes[:oidc_identifier]
+      logger.info "User #{user_id} does not exist and creating new users by OIDC is disabled"
+      render 'lock_user', :status => :unauthorized
+    end
   end
 
   def update_user(user)
@@ -110,4 +116,7 @@ def unsuccessful_login(user)
     end
   end
 
+  def settings
+    @settings ||= RedmineOidc.settings
+  end
 end
diff --git a/app/views/settings/_redmine_oidc.html.erb b/app/views/settings/_redmine_oidc.html.erb
@@ -38,6 +38,10 @@
   <%= label_tag 'settings[admin_role]', l('oidc.settings.admin_role') %>
   <%= text_field_tag 'settings[admin_role]', oidc_settings.admin_role, size: 60 %>
 </p>
+<p>
+  <%= label_tag 'settings[create_user_if_not_exists]', l('oidc.settings.create_user_if_not_exists') %>
+  <%= check_box_tag 'settings[create_user_if_not_exists]', 1, oidc_settings.create_user_if_not_exists %>
+</p>
 <p>
   <%= label_tag 'settings[session_check_enabled]', l('oidc.settings.session_check_enabled') %>
   <%= check_box_tag 'settings[session_check_enabled]', 1, oidc_settings.session_check_enabled %>
diff --git a/config/locales/de.yml b/config/locales/de.yml
@@ -34,6 +34,7 @@ de:
       roles_claim_placeholder: roles
       access_roles: Leerzeichen-separierte Liste der autorisierten Rollen
       admin_role: Administrationsrolle
+      create_user_if_not_exists: Benutzer erstellen, falls nicht vorhanden
       session_check_enabled: Session Check aktivieren
       session_check_users_csv: Komma-separierte Liste der Logins mit Session Check (* = alle)
     error:
diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -34,6 +34,7 @@ en:
       roles_claim_placeholder: roles
       access_roles: Space-separated list of authorized roles
       admin_role: Administration role
+      create_user_if_not_exists: Create user if not exists
       session_check_enabled: Enable session check
       session_check_users_csv: Comma-separated list of logins with session check (* = all)
     error:
diff --git a/lib/redmine_oidc/settings.rb b/lib/redmine_oidc/settings.rb
@@ -31,6 +31,7 @@ class Settings
       roles_claim
       access_roles
       admin_role
+      create_user_if_not_exists
       session_check_enabled
       session_check_users_csv
     )
@@ -54,6 +55,9 @@ def current
         settings_hash = ::Setting.plugin_redmine_oidc
         settings_hash = settings_hash.reject { |k,_| !VALID_KEYS.include? k.to_s }
 
+        # Mainly for backward compatibility.
+        settings_hash[:create_user_if_not_exists] = true if !settings_hash.key?(:create_user_if_not_exists)
+
         new(settings_hash)
       end
     end
