add exclusive option to provider an column can_renew_passwor to user

config/configuration.sample.yml

@@ -221,6 +221,7 @@ authentication:
                 client-secret: ''
                 base-url: 'https://keycloak.phrasea.local'
                 realm-name: phrasea
+                exclusive: false
                 icon-uri: null
                 birth-group: _firstlog
                 everyone-group: _everyone

doc/others/openid-sso.md

@@ -17,6 +17,9 @@ authentication:
                 client-secret: 'client-secret'
                 base-url: 'https://keycloak.phrasea.local'
                 realm-name: phrasea
+                # if true, can only connect with this provider
+                # the user cannot connect with the default phraseanet login form
+                exclusive: false
                 icon-uri: null
                 birth-group: _firstlog
                 everyone-group: _everyone

lib/Alchemy/Phrasea/Authentication/Provider/Openid.php

@@ -677,10 +677,18 @@ private function CreateUser(Array $data)
             }
 
             // yes we are logged !
-//            /** @var RandomGenerator $randomGenerator */
-//            $randomGenerator = $this->getRandomGenerator();
-//            $password = $randomGenerator->generateString(16);
-//            $userUA->setPassword($password);
+
+            if (isset($this->config['exclusive']) && $this->config['exclusive'] == true) {
+                // reset the password
+                // if it is an existing user, the user cannot login from the default phraseanet login
+                // cannot renew her password
+
+                /** @var RandomGenerator $randomGenerator */
+                $randomGenerator = $this->getRandomGenerator();
+                $password = $randomGenerator->generateString(16);
+                $userUA->setPassword($password);
+                $userUA->setCanRenewPassword(false);
+            }
 
             $this->debug(sprintf("returning user id=%s", $userUA->getId()));
 

lib/Alchemy/Phrasea/Authentication/RecoveryService.php

@@ -122,7 +122,7 @@ private function requestPasswordResetTokenByUser(User $user, $notifyUser = true)
         $receiver = Receiver::fromUser($user);
         $token = $this->tokenManipulator->createResetPasswordToken($user);
 
-        if ($notifyUser) {
+        if ($notifyUser && $user->canRenewPassword()) {
             $url = $this->urlGenerator->generate('login_renew_password', [ 'token' => $token->getValue() ], true);
 
             $mail = MailRequestPasswordUpdate::create($this->application, $receiver);

lib/Alchemy/Phrasea/Controller/Admin/UserController.php

@@ -191,6 +191,14 @@ public function changeMailLockedAction(Request $request)
         return $this->app->json(['success' => true]);
     }
 
+    public function changeCanRenewPasswordAction(Request $request)
+    {
+        $helper = $this->getUserManageHelper($request);
+        $helper->setCanRenewPassword();
+
+        return $this->app->json(['success' => true]);
+    }
+
     public function applyRightsAction(Request $request)
     {
         $data = ['error' => true];

lib/Alchemy/Phrasea/ControllerProvider/Admin/Users.php

@@ -53,6 +53,7 @@ public function connect(Application $app)
         $controllers->post('/delete/', 'controller.admin.users:deleteUserAction');
         $controllers->post('/auth-failure/reset/', 'controller.admin.users:resetAuthFailureAction');
         $controllers->post('/mail-locked/change/', 'controller.admin.users:changeMailLockedAction');
+        $controllers->post('/can-renew-password/change/', 'controller.admin.users:changeCanRenewPasswordAction');
         $controllers->post('/rights/apply/', 'controller.admin.users:applyRightsAction')
             ->bind('admin_users_rights_apply');
         $controllers->post('/rights/quotas/', 'controller.admin.users:editQuotasRightsAction');

lib/Alchemy/Phrasea/Helper/User/Manage.php

@@ -262,6 +262,17 @@ public function setMailLocked()
         $this->getObjectManager()->flush();
     }
 
+    public function setCanRenewPassword()
+    {
+        /** @var UserRepository $userRepository */
+        $userRepository = $this->app['repo.users'];
+        $user = $userRepository->find($this->request->request->get('user_id'));
+        $status = $this->request->request->get('action') == 'can-renew' ? true : false;
+        $user->setCanRenewPassword($status);
+        $this->getObjectManager()->persist($user);
+        $this->getObjectManager()->flush();
+    }
+
     /**
      * @return ObjectManager
      */

lib/Alchemy/Phrasea/Model/Entities/User.php

@@ -276,6 +276,11 @@ class User
      */
     private $lastInactivityEmail;
 
+    /**
+     * @ORM\Column(type="boolean", name="can_renew_password", options={"default" = 1})
+     */
+    private $canRenewPassword = true;
+
     /**
      * Constructor
      */
@@ -740,6 +745,25 @@ public function setGuest($guest)
         return $this;
     }
 
+    /**
+     * @return bool
+     */
+    public function canRenewPassword()
+    {
+        return $this->canRenewPassword;
+    }
+
+    /**
+     * @param $canRenewPassword
+     * @return $this
+     */
+    public function setCanRenewPassword($canRenewPassword)
+    {
+        $this->canRenewPassword = (Boolean) $canRenewPassword;
+
+        return $this;
+    }
+
     /**
      * @return boolean
      */

lib/classes/patch/418RC9PHRAS4007.php

@@ -81,6 +81,7 @@ private function patch_appbox(base $appbox, Application $app)
                     'client-secret' => 'client_secret',
                     'base-url'      => 'https://keycloak.phrasea.local',
                     'realm-name'    => 'phrasea',
+                    'exclusive'     => false,
                     'icon-uri'      => null,
                     'birth-group'   => '_firstlog',
                     'everyone-group' => '_everyone',

templates/web/admin/editusers.html.twig

@@ -582,14 +582,23 @@
         </form>
 
         <div>
-          <label for="lock" style="margin-right: 20px;display:inline-block;">Email locked</label>
+          <label for="lock" style="margin-right: 20px;display:inline-block;min-width: 150px;">Email locked</label>
           <input type="radio" id="lock" name="email-locked" value="locked" style="margin-right: 10px;"
                   {% if main_user.isMailLocked() %} checked {% endif %}>
           <input type="radio" id="unlock" name="email-locked" value="unlock" style="margin-left: 10px;"
                   {% if not main_user.isMailLocked() %} checked {% endif %}>
           <label for="unlock" style="margin-left: 20px;display:inline-block;">Email unlocked</label>
         </div>
 
+        <div style="margin-top: 15px;">
+          <label for="can-renew" style="margin-right: 20px;display:inline-block;min-width: 150px;">can renew password</label>
+          <input type="radio" id="can-renew" name="can-renew-password" value="can-renew" style="margin-right: 10px;"
+                  {% if main_user.canRenewPassword() %} checked {% endif %}>
+          <input type="radio" id="cannot-renew" name="can-renew-password" value="cannot-renew" style="margin-left: 10px;"
+                  {% if not main_user.canRenewPassword() %} checked {% endif %}>
+          <label for="cannot-renew" style="margin-left: 20px;display:inline-block;">can not renew password</label>
+        </div>
+
         <div style="margin-top: 20px;">
           {% set usrProviders = app['repo.usr-auth-providers'].findByUser(main_user) %}
           {% if usrProviders|length > 0 %}
@@ -1508,6 +1517,21 @@
         });
       });
 
+      $('input[type=radio][name="can-renew-password"]').change( function() {
+        let $this = $(this);
+        $.ajax({
+          type: 'POST',
+          url: '/admin/users/can-renew-password/change/',
+          dataType: 'json',
+          data: {
+            user_id: {{ main_user.getId() }},
+            action: $this.val()
+          },
+          success: function (data) {
+          }
+        });
+      });
+
       function listRecordAcl() {
         let expiredRight = 0;
         if ($("#expired-right").is(":checked"))