GRN2-6: Added the ability for admins to specify registration method (#520)

* Added the ability to invite users

* Small bug fix

* Added the ability to approve/decline users

* Small bug fixes

* More bug fixes

* More minor changes

* Final changes

.gitignore

@@ -35,6 +35,8 @@ env
 # IDEs
 .idea
 .idea/**
+.vscode
+.vscode/**
 
 config/terms.md
 coverage*

.rubocop.yml

@@ -41,6 +41,10 @@ Style/MixinUsage:
 Style/SymbolArray:
   Enabled: false
 
+# Don't use begin blocks when they are not needed.
+Style/RedundantBegin:
+  Enabled: false
+
 # Use `%`-literal delimiters consistently
 Style/PercentLiteralDelimiters:
   Enabled: false

Gemfile.lock

@@ -215,7 +215,7 @@ GEM
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rainbow (3.0.0)
-    rake (12.3.1)
+    rake (12.3.2)
     random_password (0.1.1)
     rb-fsevent (0.10.3)
     rb-inotify (0.9.10)

app/assets/javascripts/header.js

@@ -17,7 +17,8 @@
 $(document).on('turbolinks:load', function(){
   // Stores the current url when the user clicks the sign in button
   $(".sign-in-button").click(function(){
-    document.cookie ="return_to=" + window.location.href
+    var url = [location.protocol, '//', location.host, location.pathname].join('');
+    document.cookie ="return_to=" + url
   })
 
   // Checks to see if the user provided an image url and displays it if they did

app/assets/stylesheets/utilities/_primary_themes.scss

@@ -9,7 +9,6 @@
 .btn-primary:active,
 .btn-primary:active:focus,
 .btn-primary:active:hover,
-.btn-primary:focus,
 .btn-primary:hover,
 .btn-primary:hover i {
   background-color: $primary-color-darken !important;
@@ -17,6 +16,13 @@
   color: white !important;
 }
 
+.btn-primary:focus {
+  background-color: $primary-color-darken !important;
+  border-color: $primary-color-darken !important;
+  color: white !important;
+  box-shadow: 0 0 0 2px $primary-color-lighten !important;
+}
+
 a {
   color: $primary-color !important;
 }
@@ -39,7 +45,7 @@ a {
   }
 
   &:focus {
-    box-shadow: 0 0 0 2px $primary-color-lighten;
+    box-shadow: 0 0 0 2px $primary-color-lighten !important;
   }
 }
 

app/controllers/account_activations_controller.rb

@@ -32,6 +32,10 @@ class AccountActivationsController < ApplicationController
     if @user && !@user.activated? && @user.authenticated?(:activation, params[:token])
       @user.activate
 
+      # Redirect user to root with account pending flash if account is still pending
+      return redirect_to root_path,
+        flash: { success: I18n.t("registration.approval.signup") } if @user.has_role?(:pending)
+
       flash[:success] = I18n.t("verify.activated") + " " + I18n.t("verify.signin")
       redirect_to signin_path
     else

app/controllers/admins_controller.rb

@@ -18,10 +18,15 @@
 
 class AdminsController < ApplicationController
   include Pagy::Backend
+  include Emailer
+
+  manage_users = [:edit_user, :promote, :demote, :ban_user, :unban_user, :approve]
+  site_settings = [:branding, :coloring, :registration_method]
+
   authorize_resource class: false
-  before_action :find_user, only: [:edit_user, :promote, :demote, :ban_user, :unban_user]
-  before_action :verify_admin_of_user, only: [:edit_user, :promote, :demote, :ban_user, :unban_user]
-  before_action :find_setting, only: [:branding, :coloring]
+  before_action :find_user, only: manage_users
+  before_action :verify_admin_of_user, only: manage_users
+  before_action :find_setting, only: site_settings
 
   # GET /admins
   def index
@@ -29,19 +34,11 @@ class AdminsController < ApplicationController
     @order_column = params[:column] && params[:direction] != "none" ? params[:column] : "created_at"
     @order_direction = params[:direction] && params[:direction] != "none" ? params[:direction] : "DESC"
 
-    if Rails.configuration.loadbalanced_configuration
-      @pagy, @users = pagy(User.without_role(:super_admin)
-                  .where(provider: user_settings_provider)
-                  .where.not(id: current_user.id)
-                  .admins_search(@search)
-                  .admins_order(@order_column, @order_direction))
-    else
-      @pagy, @users = pagy(User.where.not(id: current_user.id)
-                      .admins_search(@search)
-                      .admins_order(@order_column, @order_direction))
-    end
+    @pagy, @users = pagy(user_list)
   end
 
+  # MANAGE USERS
+
   # GET /admins/edit/:user_uid
   def edit_user
     render "admins/index", locals: { setting_id: "account" }
@@ -59,6 +56,48 @@ class AdminsController < ApplicationController
     redirect_to admins_path, flash: { success: I18n.t("administrator.flash.demoted") }
   end
 
+  # POST /admins/ban/:user_uid
+  def ban_user
+    @user.remove_role :pending if @user.has_role? :pending
+    @user.add_role :denied
+    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.banned") }
+  end
+
+  # POST /admins/unban/:user_uid
+  def unban_user
+    @user.remove_role :denied
+    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.unbanned") }
+  end
+
+  # POST /admins/approve/:user_uid
+  def approve
+    @user.remove_role :pending
+
+    send_user_approved_email(@user)
+
+    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.approved") }
+  end
+
+  # POST /admins/invite
+  def invite
+    email = params[:invite_user][:email]
+
+    begin
+      invitation = create_or_update_invite(email)
+
+      send_invitation_email(current_user.name, email, invitation.invite_token)
+    rescue => e
+      logger.error "Error in email delivery: #{e}"
+      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
+    else
+      flash[:success] = I18n.t("administrator.flash.invite", email: email)
+    end
+
+    redirect_to admins_path
+  end
+
+  # SITE SETTINGS
+
   # POST /admins/branding
   def branding
     @settings.update_value("Branding Image", params[:url])
@@ -68,19 +107,22 @@ class AdminsController < ApplicationController
   # POST /admins/color
   def coloring
     @settings.update_value("Primary Color", params[:color])
-    redirect_to admins_path(setting: "site_settings")
+    redirect_to admins_path
   end
 
-  # POST /admins/ban/:user_uid
-  def ban_user
-    @user.add_role :denied
-    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.banned") }
-  end
+  # POST /admins/registration_method/:method
+  def registration_method
+    new_method = Rails.configuration.registration_methods[params[:method].to_sym]
 
-  # POST /admins/unban/:user_uid
-  def unban_user
-    @user.remove_role :denied
-    redirect_to admins_path, flash: { success: I18n.t("administrator.flash.unbanned") }
+    # Only allow change to Join by Invitation if user has emails enabled
+    if !Rails.configuration.enable_email_verification && new_method == Rails.configuration.registration_methods[:invite]
+      redirect_to admins_path,
+        flash: { alert: I18n.t("administrator.flash.invite_email_verification") }
+    else
+      @settings.update_value("Registration Method", new_method)
+      redirect_to admins_path,
+        flash: { success: I18n.t("administrator.flash.registration_method_updated") }
+    end
   end
 
   private
@@ -97,4 +139,35 @@ class AdminsController < ApplicationController
     redirect_to admins_path,
       flash: { alert: I18n.t("administrator.flash.unauthorized") } unless current_user.admin_of?(@user)
   end
+
+  # Gets the list of users based on your configuration
+  def user_list
+    if Rails.configuration.loadbalanced_configuration
+      User.without_role(:super_admin)
+          .where(provider: user_settings_provider)
+          .where.not(id: current_user.id)
+          .admins_search(@search)
+          .admins_order(@order_column, @order_direction)
+    else
+      User.where.not(id: current_user.id)
+          .admins_search(@search)
+          .admins_order(@order_column, @order_direction)
+    end
+  end
+
+  # Creates the invite if it doesn't exist, or updates the updated_at time if it does
+  def create_or_update_invite(email)
+    invite = Invitation.find_by(email: email, provider: @user_domain)
+
+    # Invite already exists
+    if invite.present?
+      # Updates updated_at to now
+      invite.touch
+    else
+      # Creates invite
+      invite = Invitation.create(email: email, provider: @user_domain)
+    end
+
+    invite
+  end
 end

app/controllers/application_controller.rb

@@ -19,6 +19,7 @@
 require 'bigbluebutton_api'
 
 class ApplicationController < ActionController::Base
+  include ApplicationHelper
   include SessionsHelper
   include ThemingHelper
 
@@ -26,7 +27,7 @@ class ApplicationController < ActionController::Base
   before_action :set_locale
   before_action :check_admin_password
   before_action :set_user_domain
-  before_action :check_if_unbanned
+  before_action :check_user_role
 
   # Force SSL for loadbalancer configurations.
   before_action :redirect_to_https
@@ -84,7 +85,7 @@ class ApplicationController < ActionController::Base
   helper_method :recording_thumbnails?
 
   def allow_greenlight_users?
-    Rails.configuration.greenlight_accounts
+    allow_greenlight_accounts?
   end
   helper_method :allow_greenlight_users?
 
@@ -136,11 +137,14 @@ class ApplicationController < ActionController::Base
   helper_method :set_user_domain
 
   # Checks if the user is banned and logs him out if he is
-  def check_if_unbanned
-    if current_user&.has_role?(:denied)
+  def check_user_role
+    if current_user&.has_role? :denied
       session.delete(:user_id)
-      redirect_to unauthorized_path
+      redirect_to root_path, flash: { alert: I18n.t("registration.banned.fail") }
+    elsif current_user&.has_role? :pending
+      session.delete(:user_id)
+      redirect_to root_path, flash: { alert: I18n.t("registration.approval.fail") }
     end
   end
-  helper_method :check_if_unbanned
+  helper_method :check_user_role
 end

app/controllers/concerns/emailer.rb

@@ -31,12 +31,32 @@ module Emailer
     UserMailer.password_reset(@user, reset_link, logo_image, user_color).deliver_now
   end
 
+  # Sends inivitation to join
+  def send_invitation_email(name, email, token)
+    @token = token
+    UserMailer.invite_email(name, email, invitation_link, logo_image, user_color).deliver_now
+  end
+
+  def send_user_approved_email(user)
+    UserMailer.approve_user(user, root_url, logo_image, user_color).deliver_now
+  end
+
+  private
+
   # Returns the link the user needs to click to verify their account
   def user_verification_link
-    request.base_url + edit_account_activation_path(token: @user.activation_token, email: @user.email)
+    edit_account_activation_url(token: @user.activation_token, email: @user.email)
   end
 
   def reset_link
-    request.base_url + edit_password_reset_path(@user.reset_token, email: @user.email)
+    edit_password_reset_url(@user.reset_token, email: @user.email)
+  end
+
+  def invitation_link
+    if allow_greenlight_users?
+      signup_url(invite_token: @token)
+    else
+      root_url(invite_token: @token)
+    end
   end
 end

app/controllers/concerns/registrar.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+
+module Registrar
+  extend ActiveSupport::Concern
+
+  def registration_method
+    Setting.find_or_create_by!(provider: user_settings_provider).get_value("Registration Method")
+  end
+
+  def open_registration
+     registration_method == Rails.configuration.registration_methods[:open]
+  end
+
+  def approval_registration
+     registration_method == Rails.configuration.registration_methods[:approval]
+  end
+
+  def invite_registration
+     registration_method == Rails.configuration.registration_methods[:invite]
+  end
+
+  # Returns a hash containing whether the user has been invited and if they
+  # signed up with the same email that they were invited with
+  def check_user_invited(email, token, domain)
+    return { present: true, verified: false } unless invite_registration
+    return { present: false, verified: false } if token.nil?
+
+    invite = Invitation.valid.find_by(invite_token: token, provider: domain)
+    if invite.present?
+      # Check if they used the same email to sign up
+      same_email = email.casecmp(invite.email).zero?
+      invite.destroy
+      { present: true, verified: same_email }
+    else
+      { present: false, verified: false }
+    end
+  end
+end

app/controllers/main_controller.rb

@@ -17,7 +17,10 @@
 # with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
 
 class MainController < ApplicationController
+  include Registrar
   # GET /
   def index
+    # Store invite token
+    session[:invite_token] = params[:invite_token] if params[:invite_token] && invite_registration
   end
 end

app/controllers/sessions_controller.rb

@@ -17,6 +17,8 @@
 # with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
 
 class SessionsController < ApplicationController
+  include Registrar
+
   skip_before_action :verify_authenticity_token, only: [:omniauth, :fail]
 
   # GET /users/logout
@@ -32,11 +34,11 @@ class SessionsController < ApplicationController
       user = admin
     else
       user = User.find_by(email: session_params[:email], provider: @user_domain)
-      redirect_to(root_path, alert: I18n.t("invalid_user")) && return unless user
+      redirect_to(signin_path, alert: I18n.t("invalid_user")) && return unless user
       redirect_to(root_path, alert: I18n.t("invalid_login_method")) && return unless user.greenlight_account?
       redirect_to(account_activation_path(email: user.email)) && return unless user.activated?
     end
-    redirect_to(root_path, alert: I18n.t("invalid_credentials")) && return unless user.try(:authenticate,
+    redirect_to(signin_path, alert: I18n.t("invalid_credentials")) && return unless user.try(:authenticate,
       session_params[:password])
 
     login(user)
@@ -44,11 +46,26 @@ class SessionsController < ApplicationController
 
   # GET/POST /auth/:provider/callback
   def omniauth
-    user = User.from_omniauth(request.env['omniauth.auth'])
-    login(user)
-  rescue => e
-    logger.error "Error authenticating via omniauth: #{e}"
-    omniauth_fail
+    begin
+      @auth = request.env['omniauth.auth']
+      @user_exists = check_user_exists
+
+      # If using invitation registration method, make sure user is invited
+      return redirect_to root_path, flash: { alert: I18n.t("registration.invite.no_invite") } unless passes_invite_reqs
+
+      user = User.from_omniauth(@auth)
+
+      # Add pending role if approval method and is a new user
+      if approval_registration && !@user_exists
+        user.add_role :pending
+        return redirect_to root_path, flash: { success: I18n.t("registration.approval.signup") }
+      end
+
+      login(user)
+    rescue => e
+        logger.error "Error authenticating via omniauth: #{e}"
+        omniauth_fail
+    end
   end
 
   # POST /auth/failure
@@ -61,4 +78,17 @@ class SessionsController < ApplicationController
   def session_params
     params.require(:session).permit(:email, :password)
   end
+
+  def check_user_exists
+    provider = @auth['provider'] == "bn_launcher" ? @auth['info']['customer'] : @auth['provider']
+    User.exists?(social_uid: @auth['uid'], provider: provider)
+  end
+
+  # Check if the user already exists, if not then check for invitation
+  def passes_invite_reqs
+    return true if @user_exists
+
+    invitation = check_user_invited("", session[:invite_token], @user_domain)
+    invitation[:present]
+  end
 end

app/controllers/users_controller.rb

@@ -20,6 +20,7 @@ class UsersController < ApplicationController
   include RecordingsHelper
   include Pagy::Backend
   include Emailer
+  include Registrar
 
   before_action :find_user, only: [:edit, :update, :destroy]
   before_action :ensure_unauthenticated, only: [:new, :create]
@@ -32,29 +33,29 @@ class UsersController < ApplicationController
     @user = User.new(user_params)
     @user.provider = @user_domain
 
-    # Add validation errors to model if they exist
-    valid_user = @user.valid?
-    valid_captcha = Rails.configuration.recaptcha_enabled ? verify_recaptcha(model: @user) : true
+    # User or recpatcha is not valid
+    render(:new) && return unless valid_user_or_captcha
 
-    if valid_user && valid_captcha
-      @user.save
-    else
-      render(:new) && return
-    end
+    # Redirect to root if user token is either invalid or expired
+    return redirect_to root_path, flash: { alert: I18n.t("registration.invite.fail") } unless passes_invite_reqs
 
-    # Sign in automatically if email verification is disabled.
-    login(@user) && return unless Rails.configuration.enable_email_verification
+    # User has passed all validations required
+    @user.save
 
-    # Start email verification and redirect to root.
-    begin
-      send_activation_email(@user)
-    rescue => e
-      logger.error "Error in email delivery: #{e}"
-      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
-    else
-      flash[:success] = I18n.t("email_sent", email_type: t("verify.verification"))
+    # Set user to pending and redirect if Approval Registration is set
+    if approval_registration
+      @user.add_role :pending
+
+      return redirect_to root_path,
+        flash: { success: I18n.t("registration.approval.signup") } unless Rails.configuration.enable_email_verification
     end
-    redirect_to(root_path)
+
+    # Sign in automatically if email verification is disabled or if user is already verified.
+    login(@user) && return if !Rails.configuration.enable_email_verification || @user.email_verified
+
+    send_verification
+
+    redirect_to root_path
   end
 
   # GET /signin
@@ -63,11 +64,16 @@ class UsersController < ApplicationController
 
   # GET /signup
   def new
-    if Rails.configuration.allow_user_signup
-      @user = User.new
-    else
-      redirect_to root_path
+    return redirect_to root_path unless Rails.configuration.allow_user_signup
+
+    # Check if the user needs to be invited
+    if invite_registration
+      redirect_to root_path, flash: { alert: I18n.t("registration.invite.no_invite") } unless params[:invite_token]
+
+      session[:invite_token] = params[:invite_token]
     end
+
+    @user = User.new
   end
 
   # GET /u/:user_uid/edit
@@ -174,4 +180,34 @@ class UsersController < ApplicationController
     params.require(:user).permit(:name, :email, :image, :password, :password_confirmation,
       :new_password, :provider, :accepted_terms, :language)
   end
+
+  def send_verification
+    # Start email verification and redirect to root.
+    begin
+      send_activation_email(@user)
+    rescue => e
+      logger.error "Error in email delivery: #{e}"
+      flash[:alert] = I18n.t(params[:message], default: I18n.t("delivery_error"))
+    else
+      flash[:success] = I18n.t("email_sent", email_type: t("verify.verification"))
+    end
+  end
+
+  # Add validation errors to model if they exist
+  def valid_user_or_captcha
+    valid_user = @user.valid?
+    valid_captcha = Rails.configuration.recaptcha_enabled ? verify_recaptcha(model: @user) : true
+
+    valid_user && valid_captcha
+  end
+
+  # Checks if the user passes the requirements to be invited
+  def passes_invite_reqs
+    # check if user needs to be invited and IS invited
+    invitation = check_user_invited(@user.email, session[:invite_token], @user_domain)
+
+    @user.email_verified = true if invitation[:verified]
+
+    invitation[:present]
+  end
 end

app/helpers/admins_helper.rb

@@ -18,4 +18,31 @@
 
 module AdminsHelper
   include Pagy::Frontend
+
+  def display_invite
+    current_page?(admins_path) && invite_registration
+  end
+
+  def registration_method
+    Setting.find_or_create_by!(provider: user_settings_provider).get_value("Registration Method")
+  end
+
+  def invite_registration
+    registration_method == Rails.configuration.registration_methods[:invite]
+  end
+
+  def approval_registration
+    registration_method == Rails.configuration.registration_methods[:approval]
+  end
+
+  def registration_method_string
+    case registration_method
+    when Rails.configuration.registration_methods[:open]
+        I18n.t("administrator.site_settings.registration.methods.open")
+    when Rails.configuration.registration_methods[:invite]
+        I18n.t("administrator.site_settings.registration.methods.invite")
+    when Rails.configuration.registration_methods[:approval]
+        I18n.t("administrator.site_settings.registration.methods.approval")
+      end
+  end
 end

app/mailers/user_mailer.rb

@@ -34,4 +34,21 @@ class UserMailer < ApplicationMailer
     @color = color
     mail to: user.email, subject: t('reset_password.subtitle')
   end
+
+  def invite_email(name, email, url, image, color)
+    @name = name
+    @email = email
+    @url = url
+    @image = image
+    @color = color
+    mail to: email, subject: t('mailer.user.invite.subject')
+  end
+
+  def approve_user(user, url, image, color)
+    @user = user
+    @url = url
+    @image = image
+    @color = color
+    mail to: user.email, subject: t('mailer.user.approve.subject')
+  end
 end

app/models/invitation.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+
+class Invitation < ApplicationRecord
+  has_secure_token :invite_token
+
+  scope :valid, -> { where(updated_at: (Time.now - 48.hours)..Time.now) }
+end

app/models/setting.rb

@@ -37,6 +37,8 @@ class Setting < ApplicationRecord
         Rails.configuration.branding_image_default
       when "Primary Color"
         Rails.configuration.primary_color_default
+      when "Registration Method"
+        Rails.configuration.registration_method_default
       end
     end
   end

app/views/errors/unauthorized.html.erb

@@ -15,6 +15,6 @@
 
 <div class="container text-center pt-9">
   <div class="display-1 text-muted mb-5">401</div>
-  <h1 class="h2 mb-3"><%= t("errors.unauthorized.message") %></h1>
-  <p class="h4 text-muted font-weight-normal mb-7"><%= t("errors.unauthorized.help") %></p>
+  <h1 class="h2 mb-3"><%= I18n.t("errors.unauthorized.message") %></h1>
+  <p class="h4 text-muted font-weight-normal mb-7"><%= I18n.t("errors.unauthorized.help") %></p>
 </div>

app/views/shared/admin_settings/_site_settings.html.erb

@@ -26,8 +26,11 @@
           </span>
         </div>
       </div>
-
-      <div class="form-group">
+    </div>
+  </div>
+  <div class="row">
+    <div class="col-12">
+      <div class="mb-7 form-group">
         <label class="form-label"><%= t("administrator.site_settings.color.title") %></label>
         <label class="form-label text-muted"><%= t("administrator.site_settings.color.info") %></label>
         <div class="row gutters-xs">
@@ -44,4 +47,28 @@
       </div>
     </div>
   </div>
+  <div class="row">
+    <div class="col-12">
+      <div class="form-group">
+        <label class="form-label"><%= t("administrator.site_settings.registration.title") %></label>
+        <label class="form-label text-muted"><%= t("administrator.site_settings.registration.info") %></label>
+        <div class="dropdown">
+          <button class="btn btn-primary dropdown-toggle" type="button" id="registrationMethods" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+            <%= registration_method_string %>
+          </button>
+          <div class="dropdown-menu" aria-labelledby="registrationMethods">
+            <%= button_to admin_change_registration_path("open"), class: "dropdown-item" do %>
+              <%= t("administrator.site_settings.registration.methods.open") %>
+            <% end %>
+            <%= button_to admin_change_registration_path("invite"), class: "dropdown-item" do %>
+              <%= t("administrator.site_settings.registration.methods.invite") %>
+            <% end %>
+            <%= button_to admin_change_registration_path("approval"), class: "dropdown-item" do %>
+              <%= t("administrator.site_settings.registration.methods.approval") %>
+            <% end %>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
 </div>

app/views/shared/admin_settings/_users.html.erb

@@ -68,11 +68,15 @@
                     <td><%= user.email && user.email != "" ? user.email : user.username%></td>
                     <td><%= user.provider %></td>
                     <td class="text-center">
-                    <% roles = user.roles().pluck(:name) %>
+                      <% roles = user.roles().pluck(:name) %>
                       <% if roles.include?("denied")%>
                         <div class="user-role btn btn-sm btn-gray-dark">
                           <%= t("roles.banned") %>
                         </div>
+                      <% elsif roles.include?("pending") %>
+                        <div class="user-role btn btn-sm btn-cyan">
+                          <%= t("roles.pending") %>
+                        </div>
                       <% elsif roles.include?("super_admin") %>
                         <div class="user-role btn btn-sm btn-red">
                           <%= t("roles.super_admin") %>
@@ -88,7 +92,21 @@
                       <% end %>
                     </td>
                     <td>
-                      <% unless roles.include?("super_admin") %>
+                      <% if roles.include?("pending") %>
+                        <div class="item-action dropdown">
+                          <a href="javascript:void(0)" data-toggle="dropdown" class="icon">
+                            <i class="fas fa-ellipsis-v px-4"></i>
+                          </a>
+                          <div class="dropdown-menu dropdown-menu">
+                            <%= button_to admin_approve_path(user_uid: user.uid), class: "dropdown-item" do %>
+                              <i class="dropdown-icon far fa-check-circle"></i> <%= t("administrator.users.settings.approve") %>
+                            <% end %>
+                            <%= button_to admin_ban_path(user_uid: user.uid), class: "dropdown-item" do %>
+                              <i class="dropdown-icon far fa-times-circle"></i> <%= t("administrator.users.settings.decline") %>
+                            <% end %>
+                          </div>
+                        </div>
+                      <% elsif !roles.include?("super_admin") %>
                         <div class="item-action dropdown">
                           <a href="javascript:void(0)" data-toggle="dropdown" class="icon">
                             <i class="fas fa-ellipsis-v px-4"></i>
@@ -142,3 +160,5 @@
     </div>
   </div>
 </div>
+
+<%= render "shared/modals/invite_user_modal" %>

app/views/shared/components/_subtitle.html.erb

@@ -14,12 +14,20 @@
 %>
 
 <div class="row mt-2">
-  <div class="col-8">
+  <div class="col-4">
     <p class="subtitle"><%= subtitle %></p>
   </div>
   <% if search %>
-    <div class="col-4">
-      <div id="search-bar">
+    <div class="col-8">
+      <% if display_invite %>
+        <div id="invite-user" class="d-inline-block float-right ml-3">
+          <%= link_to "#inviteModal", :class => "btn btn-primary", "data-toggle": "modal" do %>
+            <%= t("administrator.users.invite") %> <i class="fas fa-paper-plane ml-1"></i>
+          <% end %>
+        </div>
+      <% end %>
+
+      <div id="search-bar" class="d-inline-block float-right">
         <div class="input-group">
           <input id="search-input" type="text" class="form-control" placeholder="<%= t("settings.search") %>..." value="<%= @search %>">
           <% unless @search.blank? %>
@@ -28,7 +36,7 @@
             </span>
           <% end %>
           <span class="input-group-append">
-            <button class="btn btn-primary" type="button" onclick="searchPage()">
+            <button class="btn btn-outline-primary" type="button" onclick="searchPage()">
               <i class="fas fa-search"></i>
             </button>
           </span>

app/views/shared/modals/_invite_user_modal.html.erb

@@ -0,0 +1,44 @@
+<%
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+%>
+
+<div class="modal fade" id="inviteModal" tabindex="-1" role="dialog">
+  <div class="modal-dialog modal-dialog-centered" role="document">
+    <div class="modal-content text-center">
+      <div class="modal-body">
+        <div class="card-body p-6">
+          <div class="card-title">
+            <h3><%= t("modal.invite_user.title") %></h3>
+          </div>
+
+          <%= form_for(:invite_user, url: invite_user_path) do |f| %>
+            <div class="input-icon mb-2">
+              <span class="input-icon-addon">
+                <i class="fas fa-envelope"></i>
+              </span>
+              <%= f.text_field :email, class: "form-control", value: "", placeholder: t("modal.invite_user.email_placeholder"), autocomplete: :off %>
+              <div class="invalid-feedback text-left"><%= t("modal.invite_user.not_blank") %></div>
+            </div>
+          <div class="mt-4">
+            <%= f.submit t("modal.invite_user.send"), class:"btn btn-primary btn-block" %>
+          </div>
+          <% end %>
+        </div>
+        <div class="card-footer">
+          <p><%= t("modal.invite_user.footer") %></p>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>

app/views/user_mailer/approve_user.html.erb

@@ -0,0 +1,43 @@
+<%
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+%>
+
+<div style="text-align:center; font-family:'Source Sans Pro', -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Helvetica Neue', Arial, sans-serif">
+    <div style="display:inline-block; background-color:#F5F7FB; border:1px solid #d3d3d3; padding: 25px 70px">
+        <%= image_tag(@image, height: '70') %>
+
+        <h1 style="margin-bottom:30px">
+        <%= t('mailer.user.approve.subject') %>
+        </h1>
+
+        <p>
+        <%= t('mailer.user.approve.info') %>
+        </p>
+
+        <p>
+        <%= t('mailer.user.approve.username', email: @user.email) %>
+        </p>
+
+        <p style="margin-bottom:35px;">
+        <%= t('mailer.user.approve.signin') %>
+        </p>
+
+        <a style="background: <%= @color %>;color: #ffffff; padding: 10px 15px; box-shadow: 0 2px 4px 0 rgba(0,0,0,.25);border: 1px solid transparent;text-decoration:none;" href="<%= @url %>">
+        <%= t('mailer.user.approve.signin_link') %>
+        </a>
+    </div>
+</div>

app/views/user_mailer/approve_user.text.erb

@@ -0,0 +1,27 @@
+<%
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+%>
+
+<%= t('mailer.user.approve.subject') %>
+
+<%= t('mailer.user.approve.info') %>
+
+<%= t('mailer.user.approve.username', email: @user.email) %>
+
+<%= t('mailer.user.approve.signin') %>
+
+<%= @url %>

app/views/user_mailer/invite_email.html.erb

@@ -0,0 +1,43 @@
+<%
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+%>
+
+  <div style="text-align:center; font-family:'Source Sans Pro', -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Helvetica Neue', Arial, sans-serif">
+    <div style="display:inline-block; background-color:#F5F7FB; border:1px solid #d3d3d3; padding: 25px 70px">
+      <%= image_tag(@image, height: '70') %>
+
+      <h1 style="margin-bottom:30px">
+        <%= t('mailer.user.invite.subject') %>
+      </h1>
+
+      <p>
+        <%= t('mailer.user.invite.info', name: @name) %>
+      </p>
+
+      <p>
+        <%= t('mailer.user.invite.username', email: @email) %>
+      </p>
+
+      <p style="margin-bottom:35px;">
+        <%= t('mailer.user.invite.signup') %>
+      </p>
+
+      <a style="background: <%= @color %>;color: #ffffff; padding: 10px 15px; box-shadow: 0 2px 4px 0 rgba(0,0,0,.25);border: 1px solid transparent;text-decoration:none;" href="<%= @url %>">
+        <%= t('mailer.user.invite.signup_link') %>
+      </a>
+    </div>
+  </div>

app/views/user_mailer/invite_email.text.erb

@@ -0,0 +1,27 @@
+<%
+# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/.
+#
+# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below).
+#
+# This program is free software; you can redistribute it and/or modify it under the
+# terms of the GNU Lesser General Public License as published by the Free Software
+# Foundation; either version 3.0 of the License, or (at your option) any later
+# version.
+#
+# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY
+# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along
+# with BigBlueButton; if not, see <http://www.gnu.org/licenses/>.
+%>
+
+<%= t('mailer.user.invite.subject') %>
+
+<%= t('mailer.user.invite.info', name: @name) %>
+
+<%= t('mailer.user.invite.username', email: @email) %>
+
+<%= t('mailer.user.invite.signup') %>
+
+<%= @url %>

config/application.rb

@@ -96,22 +96,30 @@ module Greenlight
     # The maximum number of rooms included in one bbbapi call
     config.pagination_number = ENV['PAGINATION_NUMBER'].to_i.zero? ? 25 : ENV['PAGINATION_NUMBER'].to_i
 
+    # Number of rows to display per page
+    config.pagination_rows = ENV['NUMBER_OF_ROWS'].to_i.zero? ? 25 : ENV['NUMBER_OF_ROWS'].to_i
+
+    # Whether the user has defined the variables required for recaptcha
+    config.recaptcha_enabled = ENV['RECAPTCHA_SITE_KEY'].present? && ENV['RECAPTCHA_SECRET_KEY'].present?
+
+    # Show/hide "Add to Google Calendar" button in the room page
+    config.enable_google_calendar_button = (ENV['ENABLE_GOOGLE_CALENDAR_BUTTON'] == "true")
+
+    # Enum containing the different possible registration methods
+    config.registration_methods = { open: "0", invite: "1", approval: "2" }
+
+    # DEFAULTS
+
     # Default branding image if the user does not specify one
     config.branding_image_default = "https://raw.githubusercontent.com/bigbluebutton/greenlight/master/app/assets/images/logo_with_text.png"
 
     # Default primary color if the user does not specify one
     config.primary_color_default = "#467fcf"
 
+    # Default registration method if the user does not specify one
+    config.registration_method_default = config.registration_methods[:open]
+
     # Default admin password
     config.admin_password_default = ENV['ADMIN_PASSWORD'] || 'administrator'
-
-    # Number of rows to display per page
-    config.pagination_rows = ENV['NUMBER_OF_ROWS'].to_i.zero? ? 10 : ENV['NUMBER_OF_ROWS'].to_i
-
-    # Whether the user has defined the variables required for recaptcha
-    config.recaptcha_enabled = ENV['RECAPTCHA_SITE_KEY'].present? && ENV['RECAPTCHA_SECRET_KEY'].present?
-
-    # Show/hide "Add to Google Calendar" button in the room page
-    config.enable_google_calendar_button = (ENV['ENABLE_GOOGLE_CALENDAR_BUTTON'] == "true")
   end
 end

config/locales/en.yml

@@ -31,18 +31,30 @@ en:
       color:
         info: Change the primary color used across the website
         title: Primary Color
+      registration:
+        info: Change the way that users register to the website
+        title: Registration Method
+        methods:
+          approval: Approve/Decline
+          invite: Join by Invitation
+          open: Open Registration
       subtitle: Customize Greenlight
       title: Site Settings
     flash:
+      approved: User has been successfully approved.
       banned: User has been successfully banned.
       unbanned: User has been successfully unbanned.
       delete: User deleted successfully
       delete_fail: Failed to delete user
       demoted: User has been successfully demoted
+      invite: Invite successfully sent to %{email}
+      invite_email_verification: ALLOW_MAIL_NOTIFICATIONS must be set to true in order to use this method
       promoted: User has been successfully promoted
+      registration_method_updated: Registration method successfully updated
       unauthorized: You are not authorized to perform actions on this user
     title: Organization Settings
     users:
+      invite: Invite User
       edit:
         title: Edit User Details
       settings:
@@ -105,6 +117,7 @@ en:
     unauthorized:
       message: You do not have access to this application
       help: If you believe this is a mistake, please contact your system administrator.
+
     unprocessable:
       message: Oops! Request is unprocessable.
       help: Unfortunately this isn't a valid request.
@@ -157,6 +170,18 @@ en:
   login_title: Sign in to your account
   mailer:
     user:
+      approve:
+        info: Your account has been approved.
+        signin: To access your personal rooms, click the button below and sign in.
+        signin_link: Sign In
+        subject: Account Approved
+        username: Your username is %{email}.
+      invite:
+        info: You have been invited to your own personal space by %{name}
+        signup: To signup using your email, click the button below and follow the steps.
+        signup_link: Sign Up
+        subject: Invitation to join BigBlueButton
+        username: Your username is %{email}.
       password_reset:
         title: 'Password reset'
         welcome: It seems like you forgot your password for %{bigbluebutton}
@@ -191,6 +216,11 @@ en:
       delete: I'm sure, delete this room.
       keep: On second thought, I'll keep it.
       warning: You will <b>not</b> be able to recover this room or any of its %{recordings_num} associated recordings.
+    invite_user:
+      email_placeholder: Enter the user's email
+      footer: The user will receive an email with instructions on how to sign up
+      send: Send Invite
+      title: Invite User
     login:
       or: or
       with: Sign in with %{provider}
@@ -246,6 +276,15 @@ en:
       unlisted: Unlisted
     format:
       presentation: Presentation
+  registration:
+    approval: 
+      fail: Your account has not been approved yet. If multiples days have passed since you signed up, please contact your administrator.
+      signup: Your account was successfully created. It has been sent to an administrator for approval.
+    banned:
+      fail: You do not have access to this application. If you believe this is a mistake, please contact your administrator. 
+    invite:
+      fail: Your token is either invalid or has expired. If you believe this is a mistake, please contact your administrator.
+      no_invite: You do not have an invitation to join. Please contact your administrator to receive one.
   rename: Rename
   reset_password:
     subtitle: Reset Password
@@ -255,6 +294,7 @@ en:
   roles:
     administrator: Administrator
     banned: Banned
+    pending: Pending
     super_admin: Super Admin
     user: User
   room:

config/routes.rb

@@ -45,6 +45,9 @@ Rails.application.routes.draw do
     post '/demote/:user_uid', to: 'admins#demote', as: :admin_demote
     post '/ban/:user_uid', to: 'admins#ban_user', as: :admin_ban
     post '/unban/:user_uid', to: 'admins#unban_user', as: :admin_unban
+    post '/invite', to: 'admins#invite', as: :invite_user
+    post '/registration_method/:method', to: 'admins#registration_method', as: :admin_change_registration
+    post '/approve/:user_uid', to: 'admins#approve', as: :admin_approve
   end
 
   scope '/themes' do

db/migrate/20190507190710_create_invitations.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class CreateInvitations < ActiveRecord::Migration[5.0]
+  def change
+    create_table :invitations do |t|
+      t.string "email", null: false
+      t.string "provider", null: false
+      t.string "invite_token"
+      t.timestamps
+    end
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20190326144939) do
+ActiveRecord::Schema.define(version: 20190507190710) do
 
   create_table "features", force: :cascade do |t|
     t.integer  "setting_id"
@@ -22,6 +22,14 @@ ActiveRecord::Schema.define(version: 20190326144939) do
     t.index ["setting_id"], name: "index_features_on_setting_id"
   end
 
+  create_table "invitations", force: :cascade do |t|
+    t.string   "email",        null: false
+    t.string   "provider",     null: false
+    t.string   "invite_token"
+    t.datetime "created_at",   null: false
+    t.datetime "updated_at",   null: false
+  end
+
   create_table "roles", force: :cascade do |t|
     t.string   "name"
     t.string   "resource_type"
@@ -38,11 +46,11 @@ ActiveRecord::Schema.define(version: 20190326144939) do
     t.string   "name"
     t.string   "uid"
     t.string   "bbb_id"
-    t.integer  "sessions",              default: 0
+    t.integer  "sessions",      default: 0
     t.datetime "last_session"
-    t.datetime "created_at",                            null: false
-    t.datetime "updated_at",                            null: false
-    t.string   "room_settings",         default: "{ }"
+    t.datetime "created_at",                    null: false
+    t.datetime "updated_at",                    null: false
+    t.string   "room_settings", default: "{ }"
     t.string   "moderator_pw"
     t.string   "attendee_pw"
     t.index ["bbb_id"], name: "index_rooms_on_bbb_id"
@@ -70,8 +78,8 @@ ActiveRecord::Schema.define(version: 20190326144939) do
     t.string   "image"
     t.string   "password_digest"
     t.boolean  "accepted_terms",    default: false
-    t.datetime "created_at",                              null: false
-    t.datetime "updated_at",                              null: false
+    t.datetime "created_at",                            null: false
+    t.datetime "updated_at",                            null: false
     t.boolean  "email_verified",    default: false
     t.string   "language",          default: "default"
     t.string   "reset_digest"

sample.env

@@ -136,8 +136,8 @@ ROOM_FEATURES=default-client,mute-on-join
 PAGINATION_NUMBER=25
 
 # Specify the maximum number of rows that should be displayed per page for a paginated table
-# Default is set to 10 rows
-NUMBER_OF_ROWS=10
+# Default is set to 25 rows
+NUMBER_OF_ROWS=25
 
 # Specify if you want to display the Google Calendar button
 #   ENABLE_GOOGLE_CALENDAR_BUTTON=true|false

spec/controllers/account_activations_controller_spec.rb

@@ -72,6 +72,17 @@ describe AccountActivationsController, type: :controller do
       expect(flash[:alert]).to be_present
       expect(response).to redirect_to(root_path)
     end
+
+    it "redirects a pending user to root with a flash" do
+      @user = create(:user, email_verified: false, provider: "greenlight")
+
+      @user.add_role :pending
+
+      get :edit, params: { email: @user.email, token: @user.activation_token }
+
+      expect(flash[:success]).to be_present
+      expect(response).to redirect_to(root_path)
+    end
   end
 
   describe "GET #resend" do

spec/controllers/admins_controller_spec.rb

@@ -109,6 +109,56 @@ describe AdminsController, type: :controller do
         expect(response).to redirect_to(admins_path)
       end
     end
+
+    context "POST #invite" do
+      before do
+        allow(Rails.configuration).to receive(:loadbalanced_configuration).and_return(true)
+        allow_any_instance_of(ApplicationController).to receive(:allow_greenlight_users?).and_return(true)
+        allow_any_instance_of(User).to receive(:greenlight_account?).and_return(true)
+      end
+
+      it "invites a user" do
+        @request.session[:user_id] = @admin.id
+        email = Faker::Internet.email
+        post :invite, params: { invite_user: { email: email } }
+
+        invite = Invitation.find_by(email: email, provider: "greenlight")
+
+        expect(invite.present?).to eq(true)
+        expect(flash[:success]).to be_present
+        expect(response).to redirect_to(admins_path)
+      end
+
+      it "sends an invitation email" do
+        @request.session[:user_id] = @admin.id
+        email = Faker::Internet.email
+
+        params = { invite_user: { email: email } }
+        expect { post :invite, params: params }.to <