Added variable in .env to enforce certain domains in account registrations (#1589)

Allow REQUIRE_MAIL_DOMAIN to not exist in addition to it being empty Undo changes in config/locales/de_DE.yml changed .env variable name to GREENLIGHT_ACCOUNT_HD; allowed only comma and no whitespace as separator Allow the admin to change email-addresses, just enforce domain on registration Co-authored-by: Gaja Sophie Peters <gaja.peters@uni-hamburg.de> Co-authored-by: Ahmad Farhat <ahmad.af.farhat@gmail.com>
2021-06-01 23:11:15 +02:00 · 2021-06-01 23:11:15 +02:00 · 505ed05c5a
parent 0181678e1a
commit 505ed05c5a
4 changed files with 18 additions and 0 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -39,6 +39,7 @@ class User < ApplicationRecord
                   format: { without: %r{https?://}i }
  validates :provider, presence: true
  validate :check_if_email_can_be_blank
+  validate :check_domain, if: :greenlight_account?, on: :create
  validates :email, length: { maximum: 256 }, allow_blank: true,
                    uniqueness: { case_sensitive: false, scope: :provider },
                    format: { with: /\A[\w+\-'.]+@[a-z\d\-.]+\.[a-z]+\z/i }
@ -234,6 +235,13 @@ class User < ApplicationRecord
    Role.create_default_roles(role_provider) if Role.where(provider: role_provider).count.zero?
  end

+  def check_domain
+    if Rails.configuration.require_email_domain.any? && !email.end_with?(*Rails.configuration.require_email_domain)
+      errors.add(:email, I18n.t("errors.messages.domain",
+        email_domain: Rails.configuration.require_email_domain.join('" ' + I18n.t("modal.login.or") + ' "')))
+    end
+  end
+
  def check_if_email_can_be_blank
    if email.blank?
      if Rails.configuration.loadbalanced_configuration && greenlight_account?
--- a/config/application.rb
+++ b/config/application.rb
@ -94,6 +94,9 @@ module Greenlight
    # Determine if GreenLight should enable email verification
    config.enable_email_verification = parse_bool(ENV['ALLOW_MAIL_NOTIFICATIONS'])

+    # Determine if GreenLight should require a certain mail-domain
+    config.require_email_domain = ENV["GREENLIGHT_ACCOUNT_HD"].to_s.split(",")
+
    # Determine if GreenLight should allow non-omniauth signup/login.
    config.allow_user_signup = parse_bool(ENV['ALLOW_GREENLIGHT_ACCOUNTS'])

--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -269,6 +269,7 @@ en:
      accepted: must be accepted
      confirmation: doesn't match %{attribute}
      inclusion: is not included in the list
+      domain: must end with "%{email_domain}"
    no_provider:
      message: The site you are trying to access is not enabled
      help: Please contact your system administrator to setup Greenlight
--- a/sample.env
+++ b/sample.env
@ -105,6 +105,12 @@ LDAP_ATTRIBUTE_MAPPING=
 #
 ALLOW_GREENLIGHT_ACCOUNTS=true

+# "hosted domain" part of the Email-Address required for signup for a greenlight account
+#    domain.com matches also mail.domain.com
+#    @domain.com does NOT match @mail.domain.com
+#    multiple domains can be separated by comma (with no whitespace!)
+#GREENLIGHT_ACCOUNT_HD=@domain.com,subdomain-allowed.net
+
 # To enable reCaptcha on the user sign up, define these 2 keys
 # You can obtain these keys by registering your domain using the following url:
 #