From 505ed05c5af5da766b635a98f12504b89b110935 Mon Sep 17 00:00:00 2001 From: EmmyGraugans <65039059+EmmyGraugans@users.noreply.github.com> Date: Tue, 1 Jun 2021 23:11:15 +0200 Subject: [PATCH] Added variable in .env to enforce certain domains in account registrations (#1589) Allow REQUIRE_MAIL_DOMAIN to not exist in addition to it being empty Undo changes in config/locales/de_DE.yml changed .env variable name to GREENLIGHT_ACCOUNT_HD; allowed only comma and no whitespace as separator Allow the admin to change email-addresses, just enforce domain on registration Co-authored-by: Gaja Sophie Peters Co-authored-by: Ahmad Farhat --- app/models/user.rb | 8 ++++++++ config/application.rb | 3 +++ config/locales/en.yml | 1 + sample.env | 6 ++++++ 4 files changed, 18 insertions(+) diff --git a/app/models/user.rb b/app/models/user.rb index 679cbdd1..3ad99d4c 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -39,6 +39,7 @@ class User < ApplicationRecord format: { without: %r{https?://}i } validates :provider, presence: true validate :check_if_email_can_be_blank + validate :check_domain, if: :greenlight_account?, on: :create validates :email, length: { maximum: 256 }, allow_blank: true, uniqueness: { case_sensitive: false, scope: :provider }, format: { with: /\A[\w+\-'.]+@[a-z\d\-.]+\.[a-z]+\z/i } @@ -234,6 +235,13 @@ class User < ApplicationRecord Role.create_default_roles(role_provider) if Role.where(provider: role_provider).count.zero? end + def check_domain + if Rails.configuration.require_email_domain.any? && !email.end_with?(*Rails.configuration.require_email_domain) + errors.add(:email, I18n.t("errors.messages.domain", + email_domain: Rails.configuration.require_email_domain.join('" ' + I18n.t("modal.login.or") + ' "'))) + end + end + def check_if_email_can_be_blank if email.blank? if Rails.configuration.loadbalanced_configuration && greenlight_account? diff --git a/config/application.rb b/config/application.rb index 3670e7c6..18704274 100644 --- a/config/application.rb +++ b/config/application.rb @@ -94,6 +94,9 @@ module Greenlight # Determine if GreenLight should enable email verification config.enable_email_verification = parse_bool(ENV['ALLOW_MAIL_NOTIFICATIONS']) + # Determine if GreenLight should require a certain mail-domain + config.require_email_domain = ENV["GREENLIGHT_ACCOUNT_HD"].to_s.split(",") + # Determine if GreenLight should allow non-omniauth signup/login. config.allow_user_signup = parse_bool(ENV['ALLOW_GREENLIGHT_ACCOUNTS']) diff --git a/config/locales/en.yml b/config/locales/en.yml index ebe18d12..04e14a1b 100755 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -269,6 +269,7 @@ en: accepted: must be accepted confirmation: doesn't match %{attribute} inclusion: is not included in the list + domain: must end with "%{email_domain}" no_provider: message: The site you are trying to access is not enabled help: Please contact your system administrator to setup Greenlight diff --git a/sample.env b/sample.env index 5cebc7fb..ad93036f 100644 --- a/sample.env +++ b/sample.env @@ -105,6 +105,12 @@ LDAP_ATTRIBUTE_MAPPING= # ALLOW_GREENLIGHT_ACCOUNTS=true +# "hosted domain" part of the Email-Address required for signup for a greenlight account +# domain.com matches also mail.domain.com +# @domain.com does NOT match @mail.domain.com +# multiple domains can be separated by comma (with no whitespace!) +#GREENLIGHT_ACCOUNT_HD=@domain.com,subdomain-allowed.net + # To enable reCaptcha on the user sign up, define these 2 keys # You can obtain these keys by registering your domain using the following url: #