DS-4027: New user registration & forgot password #2763
Conversation
…ITs for the functionality
…ost with token and added its to verify functionality
… in RegistrationRestControllerIT
…l instead of as a parameter
…thorizeUpdatePassword method
…w-registration Conflicts: dspace-api/src/main/java/org/dspace/app/util/AuthorizeUtil.java
There was a problem hiding this comment.
@benbosman : I gave this a (partial) code review today. Unfortunately I ran into a lot of minor mistakes/cleanup. Please see my inline comments. There are areas of this code that don't make sense to me...so either they need fixing or need inline code comments to explain the logic.
I stopped reviewing part way through as there was too much to comment on (especially in the ITs, which I found very messy overall & not implemented based on current best practices). So, I'd recommend working with the developer on cleaning up this code based on our best practices & then let me know when you feel it's ready for a public review again.
dspace-api/src/main/java/org/dspace/app/util/AuthorizeUtil.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/main/java/org/dspace/app/rest/RegistrationRestController.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/main/java/org/dspace/app/rest/RegistrationRestController.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
…w-registration Conflicts: dspace-server-webapp/src/main/java/org/dspace/app/rest/repository/EPersonRestRepository.java dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
… to the new registration endpoints
|
@tdonohue All feedback has been resolved and/or answered |
…n to now be available to anonymous calls
… and rewrote EPersonRestRepositoryIT tests to use this
There was a problem hiding this comment.
@benbosman : This is looking great overall. That said, in my re-review, I stumbled on a few tiny mistakes. Some look like simple copy & paste errors that were overlooked. Once these tiny things are cleaned up, I think this is ready to go. Thanks!
dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/ProcessRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/RegistrationRestControllerIT.java
Outdated
Show resolved
Hide resolved
...ver-webapp/src/test/java/org/dspace/app/rest/authorization/EPersonRegistrationFeatureIT.java
Outdated
Show resolved
Hide resolved
...ver-webapp/src/test/java/org/dspace/app/rest/authorization/EPersonRegistrationFeatureIT.java
Outdated
Show resolved
Hide resolved
...ver-webapp/src/test/java/org/dspace/app/rest/authorization/EPersonRegistrationFeatureIT.java
Outdated
Show resolved
Hide resolved
...ce-server-webapp/src/test/java/org/dspace/app/rest/jackson/IgnoreJacksonWriteOnlyAccess.java
Show resolved
Hide resolved
…w-registration Conflicts: dspace-api/src/main/java/org/dspace/app/util/AuthorizeUtil.java dspace-server-webapp/src/main/java/org/dspace/app/rest/security/EPersonRestPermissionEvaluatorPlugin.java dspace-server-webapp/src/test/java/org/dspace/app/rest/EPersonRestRepositoryIT.java
|
@tdonohue all feedback has been processed, and the branch has been updated with the latest master This should be ready to merge now |
There was a problem hiding this comment.
@benbosman : Thanks for the updates! I've found two more minor things that can be cleaned up quickly (a recent commit to add in an odd context.complete() in a test made me realize these additional minor flaws). Then it all looks good to me.
dspace-server-webapp/src/test/java/org/dspace/app/rest/RegistrationRestControllerIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/RegistrationRestRepositoryIT.java
Show resolved
Hide resolved
tdonohue
added
authentication: password
tdonohue
changed the title
…RestRepositoryIT and added extra cleanup
| // This allowSetPassword is currently the only mthod that would return true only when it's | ||
| // actually expected to be returning true. | ||
| // For example the LDAP canSelfRegister will return true due to auto-register, while that | ||
| // does not imply a new user can register explicitly | ||
| return AuthenticateServiceFactory.getInstance().getAuthenticationService() | ||
| .allowSetPassword(context, request, null); |
There was a problem hiding this comment.
I have read the previous discussion but I still don't understand why we cannot simply rely only on the dspace.cfg property. Why should I put user.registration to true if I wan't allow user registration?
There was a problem hiding this comment.
As discussed with Tim in https://github.com/DSpace/DSpace/pull/2763/files/891ab3f3e261e8a78321091b8835fab413937899#r428844401, there is no method in the authentication services which correctly verifies whether you can register a new account. A ticket can be created for that problem, but it was considered out of scope for this PR to fix that issue in the API
There was a problem hiding this comment.
I'm fine with moving this to a separate discussion
| if (!configurationService.getBooleanProperty("user.registration", true)) { | ||
| throw new IllegalStateException("The user.registration parameter was set to false"); | ||
| } |
There was a problem hiding this comment.
this seems me to confirm that we only need to check the dspace.cfg parameter (see previous comment)
There was a problem hiding this comment.
A ticket can be created to deal with the lack of this detail in the API
| RegistrationData registrationData = registrationDataService.findByToken(context, token); | ||
| if (registrationData == null) { | ||
| throw new DSpaceBadRequestException("The token given as parameter: " + token + " does not exist" + | ||
| " in the database"); | ||
| } | ||
| if (es.findByEmail(context, registrationData.getEmail()) != null) { | ||
| throw new DSpaceBadRequestException("The token given already contains an email address that resolves" + | ||
| "to an eperson"); |
There was a problem hiding this comment.
this meet the current contract, I'm just thinking that a 422 would be more appropriate here as there is a semantic / status issue more than a formal error. But if you don't agree, ignore it and we can eventually open an issue to discuss it in future and apply later the changes (if agreed)
There was a problem hiding this comment.
The contract explicitly mentions status 400 for this use case, that would contradict the contract
| throw new DSpaceBadRequestException("The eperson.firstname and eperson.lastname values need to be " + | ||
| "filled in"); |
There was a problem hiding this comment.
also in this case, as the issue is inside the json I would prefer a 422. It would be useful in any case note in the contract that this error is throw when the metadata are missing (it is noted that they are mandatory)
There was a problem hiding this comment.
This is not defined in the contract, 422 is fine for me. We'll update this in the code
| getClient().perform(post("/api/eperson/registrations") | ||
| .content(mapper.writeValueAsBytes(registrationRest)) | ||
| .contentType(contentType)) | ||
| .andExpect(status().is(401)); |
There was a problem hiding this comment.
small thing but I would appreciate if we can use the constant here
There was a problem hiding this comment.
This code has been moved, but can indeed be adjusted
dspace-server-webapp/src/test/java/org/dspace/app/rest/RegistrationRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/RegistrationRestRepositoryIT.java
Show resolved
Hide resolved
dspace-server-webapp/src/test/java/org/dspace/app/rest/RegistrationRestRepositoryIT.java
Outdated
Show resolved
Hide resolved
| registrationDataList = registrationDataDAO.findAll(context, RegistrationData.class); | ||
| assertEquals(1, registrationDataList.size()); | ||
| assertTrue(StringUtils.equalsIgnoreCase(registrationDataList.get(0).getEmail(), eperson.getEmail())); | ||
| Iterator<RegistrationData> iterator = registrationDataList.iterator(); | ||
| while (iterator.hasNext()) { | ||
| RegistrationData registrationData = iterator.next(); | ||
| registrationDataDAO.delete(context, registrationData); | ||
| } |
There was a problem hiding this comment.
We'll move this to a finally
...ver-webapp/src/test/java/org/dspace/app/rest/authorization/EPersonRegistrationFeatureIT.java
Show resolved
Hide resolved
There was a problem hiding this comment.
👍 Thanks @benbosman! This looks good to me now. So, once @abollini 's minor feedback is addressed, this can be merged.
(Also, as noted on Slack, if you rebase on current master then LGTM should build properly and stop putting a ❌ here. It also will analyze your PR and provide feedback as well.)
|
This pull request introduces 1 alert when merging 0555644 into 000b5c7 - view on LGTM.com new alerts:
|
|
it is ready to go for me now. Thanks @benbosman |
References
Description
This is the backend to:
Instructions for Reviewers
List of changes in this PR:
POST /api/eperson/registrationsPOST /api/eperson/epersons?token=<:token>PATCH /api/eperson/epersons/<:id-eperson>?token=<:token>Checklist
This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome). If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!
400 Bad Request,401 Unauthorized,403 Forbidden,404 Not Found, etc)pom.xml), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.