Feature #13383: Feature: CAS single sign-on
Remove "Reset password", "Edit" profile, and "Add new" proflie links/buttons when CAS is enabled
|Assignee:||Tessa Walsh||% Done:|
|Target version:||Release 2.7.0|
|Google Code Legacy ID:||Tested version:|
For non-admin CAS authenticated users, a "Resset Password" link and form is available. However, resetting their password in AtoM has no functional effect. Only the CAS password is functional.
Also, for CAS authenticated admin users, an "Edit" and "Add new" button appears at the bottom of user profile pages. However, clicking on those buttons returns a "Sorry, you do not have permission to access that page" response.
Therefore, it's best if these link options were simply disabled for CAS authenticated users to avoid confusion.
#1 Updated by Peter Van Garderen 8 months ago
Note: documentation to reflect this enhancement has already been committed: https://github.com/artefactual/atom-docs/pull/162/commits/123211bd9d9271ad961183e48bd3152d2525dd36
#2 Updated by Tessa Walsh 8 months ago
PR submitted: https://github.com/artefactual/atom/pull/1188
It's necessary to leave some of the Edit profile functionality (to generate AIP keys, mark a user as active/inactive, set translation languages, and manage group membership if that's not managed through CAS 3.0 attributes), so the PR diverges from the issue as-written in those respects.
#3 Updated by Tessa Walsh 8 months ago
This has been merged into qa/2.x: https://github.com/artefactual/atom/commit/2a65e665ee01560f577737af603c1b8687e57a23
#4 Updated by Peter Van Garderen 8 months ago
- Status changed from New to QA/Review
- Editing of user profile information (user name, email, and password) for CAS users (including administrators) continues to be unavailable, as intended.
- An administrator user is able to edit active/inactive status, group membership, translation languages and API key generation for other users, as intended.
- On a CAS 3.0 enabled site, an administrator can add another user to additional groups. However, in a CAS 3.0 enabled scenario, group membership is controlled from the CAS server. When that user logs in, the new group membership is not present. This is the expected result.
- An administrator user on a CAS-enabled site can set another user account to inactive. When that user attempts to login via CAS they are met by a 500 error page ("Oops! An Error Occurred"). So the admininstrator successfully de-activated the account. Howewever, is a 500 response the correct result?
- While comparing results on a non-CAS enabled site, the "Edit" button was missing for a non-administrator user on their profile page. Could this be caused by CAS changes?
- If an administrator user edits their own group membership or translation languages, their account will be set to inactive and they will be logged off. They will not be able to log in unless their user account status is manually reset to active via the MySQL database. This bug applies to non-CAS scenarios too and is reported here: https://projects.artefactual.com/issues/13393