Feature #13413

Feature #13383: Feature: CAS single sign-on

Remove "Reset password", "Edit" profile, and "Add new" proflie links/buttons when CAS is enabled

Added by Peter Van Garderen 8 months ago. Updated 8 months ago.

Status:QA/ReviewStart date:09/03/2020
Priority:MediumDue date:
Assignee:Tessa Walsh% Done:

0%

Category:Access Control
Target version:Release 2.7.0
Google Code Legacy ID: Tested version:
Sponsored:Yes Requires documentation:No

Description

For non-admin CAS authenticated users, a "Resset Password" link and form is available. However, resetting their password in AtoM has no functional effect. Only the CAS password is functional.

Also, for CAS authenticated admin users, an "Edit" and "Add new" button appears at the bottom of user profile pages. However, clicking on those buttons returns a "Sorry, you do not have permission to access that page" response.

Therefore, it's best if these link options were simply disabled for CAS authenticated users to avoid confusion.

History

#1 Updated by Peter Van Garderen 8 months ago

Note: documentation to reflect this enhancement has already been committed: https://github.com/artefactual/atom-docs/pull/162/commits/123211bd9d9271ad961183e48bd3152d2525dd36

#2 Updated by Tessa Walsh 8 months ago

PR submitted: https://github.com/artefactual/atom/pull/1188

It's necessary to leave some of the Edit profile functionality (to generate AIP keys, mark a user as active/inactive, set translation languages, and manage group membership if that's not managed through CAS 3.0 attributes), so the PR diverges from the issue as-written in those respects.

#4 Updated by Peter Van Garderen 8 months ago

  • Status changed from New to QA/Review
The PR revisions have been successfully QA'ed:
  • Editing of user profile information (user name, email, and password) for CAS users (including administrators) continues to be unavailable, as intended.
  • An administrator user is able to edit active/inactive status, group membership, translation languages and API key generation for other users, as intended.
  • On a CAS 3.0 enabled site, an administrator can add another user to additional groups. However, in a CAS 3.0 enabled scenario, group membership is controlled from the CAS server. When that user logs in, the new group membership is not present. This is the expected result.
HOWEVEVER, PLEASE NOTE:
  • An administrator user on a CAS-enabled site can set another user account to inactive. When that user attempts to login via CAS they are met by a 500 error page ("Oops! An Error Occurred"). So the admininstrator successfully de-activated the account. Howewever, is a 500 response the correct result?
  • While comparing results on a non-CAS enabled site, the "Edit" button was missing for a non-administrator user on their profile page. Could this be caused by CAS changes?
  • If an administrator user edits their own group membership or translation languages, their account will be set to inactive and they will be logged off. They will not be able to log in unless their user account status is manually reset to active via the MySQL database. This bug applies to non-CAS scenarios too and is reported here: https://projects.artefactual.com/issues/13393

Also available in: Atom PDF