Add a SiteSetting to not trust sso emails by default

2025-03-21 17:05:29 +08:00 · 2015-05-15 12:00:34 -05:00 · 2015-05-15 12:00:34 -05:00 · 4c26c4d9bc
commit 4c26c4d9bc
parent 94ca9ed11f
4 changed files with 26 additions and 1 deletions
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@ -57,7 +57,7 @@ class DiscourseSingleSignOn < SingleSignOn
      change_external_attributes_and_override(sso_record, user)
    end

-    if sso_record && (user = sso_record.user) && !user.active
+    if sso_record && (user = sso_record.user) && !user.active && SiteSetting.sso_trusts_email
      user.active = true
      user.save!
      user.enqueue_welcome_message('welcome_user') unless suppress_welcome_message
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -885,6 +885,7 @@ en:
    enable_sso_provider: "Implement Discourse SSO provider protocol at the /session/sso_provider endpoint, requires sso_secret to be set"
    sso_url: "URL of single sign on endpoint"
    sso_secret: "Secret string used to cryptographically authenticate SSO information, be sure it is 10 characters or longer"
+    sso_trusts_email: "Allow SSO accounts to skip email verification"
    sso_overrides_email: "Overrides local email with external site email from SSO payload (WARNING: discrepancies can occur due to normalization of local emails)"
    sso_overrides_username: "Overrides local username with external site username from SSO payload (WARNING: discrepancies can occur due to differences in username length/requirements)"
    sso_overrides_name: "Overrides local full name with external site full name from SSO payload"
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -234,6 +234,7 @@ login:
  enable_sso_provider: false
  sso_url: ''
  sso_secret: ''
+  sso_trusts_email: true
  sso_overrides_email: false
  sso_overrides_username: false
  sso_overrides_name: false
--- a/spec/models/discourse_single_sign_on_spec.rb
+++ b/spec/models/discourse_single_sign_on_spec.rb
@ -140,6 +140,29 @@ describe DiscourseSingleSignOn do
    expect(sso.nonce).to_not be_nil
  end

+  context 'trusting emails' do
+    let(:sso) {
+      sso = DiscourseSingleSignOn.new
+      sso.username = "test"
+      sso.name = "test"
+      sso.email = "test@example.com"
+      sso.external_id = "A"
+      sso
+    }
+
+    it 'activates users by default' do
+      user = sso.lookup_or_create_user(ip_address)
+      expect(user.active).to eq(true)
+    end
+
+    it 'does not activate user when asked to' do
+      SiteSetting.sso_trusts_email = false
+      user = sso.lookup_or_create_user(ip_address)
+      expect(user.active).to eq(false)
+    end
+
+  end
+
  context 'welcome emails' do
    let(:sso) {
      sso = DiscourseSingleSignOn.new