Optional user blocking when user register approval is required

composer.json

@@ -11,6 +11,7 @@
         "php": "^7.1"
     },
     "require-dev": {
+        "behat/mink-extension": "^2.3.1",
         "composer/installers": "~1.5",
         "consolidation/robo": "~1.4",
         "consolidation/annotated-command": "^2.8.2",

config/install/oe_authentication.settings.yml

@@ -3,3 +3,4 @@ register_path: 'eim/external/register.cgi'
 validation_path: 'TicketValidationService'
 assurance_level: TOP
 ticket_types: SERVICE,PROXY
+block_on_site_admin_approval: true

config/schema/oe_authentication.schema.yml

@@ -16,4 +16,7 @@ oe_authentication.settings:
       label: 'Application assurance levels'
     ticket_types:
       type: string
-      label: 'Application available ticket types'
+      label: 'Application available ticket types'
+    block_on_site_admin_approval:
+      type: boolean
+      label: 'Block newly created users if the site requires admin approval'

oe_authentication.post_update.php

@@ -0,0 +1,17 @@
+<?php
+
+/**
+ * @file
+ * Post update functions for OE Authentication module.
+ */
+
+declare(strict_types = 1);
+
+/**
+ * Add the 'block_on_site_admin_approval' module setting.
+ */
+function oe_authentication_post_update_user_register_redirect(): void {
+  \Drupal::configFactory()->getEditable('oe_authentication.settings')
+    ->set('block_on_site_admin_approval', TRUE)
+    ->save();
+}

src/Event/EuLoginEventSubscriber.php

@@ -12,6 +12,7 @@
 use Drupal\Core\Config\ConfigFactoryInterface;
 use Drupal\Core\Messenger\MessengerInterface;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
+use Drupal\user\UserInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Drupal\oe_authentication\CasProcessor;
@@ -106,12 +107,16 @@ public function processUserProperties(CasPreRegisterEvent $event): void {
     $attributes = $event->getCasPropertyBag()->getAttributes();
     $event->setPropertyValues(CasProcessor::convertCasAttributesToFieldValues($attributes));
 
-    // If the site is configured to need administrator approval,
-    // change the status of the account to blocked.
+    // If the site is configured to require administrator approval on user
+    // registration and OE Authentication is configured to register new users as
+    // disabled users, change the status of the account to blocked.
     $user_settings = $this->configFactory->get('user.settings');
-    if ($user_settings->get('register') === USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) {
-      $event->setPropertyValue('status', 0);
-      $this->messenger->addStatus($this->t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.'));
+    if ($user_settings->get('register') === UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL) {
+      $oe_authentication_settings = $this->configFactory->get('oe_authentication.settings');
+      if ($oe_authentication_settings->get('block_on_site_admin_approval')) {
+        $event->setPropertyValue('status', 0);
+        $this->messenger->addStatus($this->t('Thank you for applying for an account. Your account is currently pending approval by the site administrator.'));
+      }
     }
   }
 

src/Form/AuthenticationSettingsForm.php

@@ -6,6 +6,7 @@
 
 use Drupal\Core\Form\ConfigFormBase;
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\user\UserInterface;
 
 /**
  * Settings form for module.
@@ -53,6 +54,13 @@ public function buildForm(array $form, FormStateInterface $form_state) {
       '#title' => $this->t('Application available ticket types'),
       '#default_value' => $this->config(static::CONFIG_NAME)->get('ticket_types'),
     ];
+    $form['block_on_site_admin_approval'] = [
+      '#type' => 'checkbox',
+      '#title' => $this->t('Block newly created users if the site requires admin approval'),
+      '#disabled' => $this->config('user.settings')->get('register') !== UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL,
+      '#default_value' => $this->config(static::CONFIG_NAME)->get('block_on_site_admin_approval'),
+      '#description' => $this->t('New users, registered after a successful EU Login, are disabled when this option is checked, if the user registration is configured to require administrators approval. This option cannot be configured and has no effect if only administrators can register users or visitors can register themselves without any approval.'),
+    ];
     return parent::buildForm($form, $form_state);
   }
 
@@ -66,6 +74,7 @@ public function submitForm(array &$form, FormStateInterface $form_state) {
       ->set('validation_path', $form_state->getValue('validation_path'))
       ->set('assurance_level', $form_state->getValue('assurance_level'))
       ->set('ticket_types', $form_state->getValue('ticket_types'))
+      ->set('block_on_site_admin_approval', $form_state->getValue('block_on_site_admin_approval'))
       ->save();
     parent::submitForm($form, $form_state);
   }

tests/Behat/AuthenticationContext.php

@@ -137,6 +137,59 @@ public function setNewUsersBlocked(): void {
     $this->configContext->setConfig('user.settings', 'register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL);
   }
 
+  /**
+   * Asserts that a give field is disabled.
+   *
+   * @param string $field_locator
+   *   The field locator.
+   *
+   * @throws \Exception
+   *   If the field is enabled.
+   *
+   * @Given (the ):field (field )should be disabled
+   */
+  public function assertFieldIsDisabled(string $field_locator): void {
+    if ($this->isFieldEnabled($field_locator)) {
+      throw new \Exception("Field '$field_locator' is enabled but should be disabled.");
+    }
+  }
+
+  /**
+   * Asserts that a give field is not disabled.
+   *
+   * @param string $field_locator
+   *   The field locator.
+   *
+   * @throws \Exception
+   *   If the field is disabled.
+   *
+   * @Given (the ):field (field )should not be disabled
+   */
+  public function assertFieldIsNotDisabled(string $field_locator): void {
+    if (!$this->isFieldEnabled($field_locator)) {
+      throw new \Exception("Field '$field_locator' is disabled but should be enabled.");
+    }
+  }
+
+  /**
+   * Finds out if a given field is enabled or disabled.
+   *
+   * @param string $field_locator
+   *   The field locator.
+   *
+   * @return bool
+   *   TRUE if the field is enabled, FALSE otherwise.
+   *
+   * @throws \Exception
+   *   If the field doesn't exist.
+   */
+  protected function isFieldEnabled(string $field_locator): bool {
+    if (!$field = $this->getSession()->getPage()->findField($field_locator)) {
+      throw new \Exception("Field '$field_locator' doesn't exist.");
+    }
+    return empty($field->getAttribute('disabled'));
+  }
+
   /**
    * We reset the authentication mock to the state as it was.
    *

tests/features/configure_authentication.feature

@@ -8,25 +8,35 @@ Feature: Authentication
 
   @DrupalLogin @BackupAuthConfigs
   Scenario: Configure Authentication settings
+    Given the site is configured to make users blocked on creation
     When I am on "the Authentication configuration page"
+
     Then I should see "Authentication settings"
     # Check for the default config is there.
     And the "Application authentication protocol" field should contain "eulogin"
     And the "Application register path" field should contain "eim/external/register.cgi"
     And the "Application validation path" field should contain "TicketValidationService"
     And the "Application assurance levels" field should contain "TOP"
     And the "Application available ticket types" field should contain "SERVICE,PROXY"
+    And the "Block newly created users if the site requires admin approval" field should not be disabled
+    And the "Block newly created users if the site requires admin approval" checkbox should be checked
 
     # Change the configuration values.
     When I fill in "Application authentication protocol" with "something"
     And I fill in "Application register path" with "test/something"
     And I fill in "Application validation path" with "validation/path"
     And I fill in "Application assurance levels" with "assurance"
     And I fill in "Application available ticket types" with "ticket.test"
+    And I uncheck "Block newly created users if the site requires admin approval"
     And I press "Save configuration"
     Then I should see the message "The configuration options have been saved."
     And the "Application authentication protocol" field should contain "something"
     And the "Application register path" field should contain "test/something"
     And the "Application validation path" field should contain "validation/path"
     And the "Application assurance levels" field should contain "assurance"
     And the "Application available ticket types" field should contain "ticket.test"
+    And the "Block newly created users if the site requires admin approval" checkbox should be unchecked
+
+    Given the site is configured to make users active on creation
+    When I reload the page
+    Then the "Block newly created users if the site requires admin approval" field should be disabled

tests/features/ecas-login.feature

@@ -115,18 +115,3 @@ Feature: Login through OE Authentication
     When I click "Log out"
     And I press the "Log me out" button
     Then I should be on the homepage
-
-  @cleanup:user
-  Scenario: A site that requires administration validation on users should block them by default
-    # When I try to log in again I will be denied access.
-    Given the site is configured to make users blocked on creation
-    When I am on the homepage
-    And I click "Log in"
-    And I click "European Commission"
-    And I fill in "Username or e-mail address" with "Lisbeth.SALANDER@ext.ec.europa.eu"
-    And I fill in "Password" with "dragon_tattoo"
-    And I press the "Login!" button
-    Then I should be on the homepage
-    And I should see "Your account is blocked or has not been activated. Please contact a site administrator."
-    And I should see "Thank you for applying for an account. Your account is currently pending approval by the site administrator."
-    And I should see the link "Log in"

tests/features/require-admin-approval.feature

@@ -0,0 +1,42 @@
+@api @javascript
+Feature: As an on a site that requires registration admin approval, when
+  configuring the EU Login, I want to be able to decide whether users registered
+  via EU Login are active or blocked.
+
+  @cleanup:user @DrupalLogin @BackupAuthConfigs
+  Scenario: A site that requires administration validation on users should block
+    them by default
+
+    Given the site is configured to make users blocked on creation
+    And I am an anonymous user
+    When I am on the homepage
+    And I click "Log in"
+    And I click "EU Login"
+    And I click "European Commission"
+    And I fill in "Username or e-mail address" with "Lisbeth.SALANDER@ext.ec.europa.eu"
+    And I fill in "Password" with "dragon_tattoo"
+    And I press the "Login!" button
+    Then I should be on the homepage
+    And I should see "Your account is blocked or has not been activated. Please contact a site administrator."
+    And I should see "Thank you for applying for an account. Your account is currently pending approval by the site administrator."
+    And I should see the link "Log in"
+    # Logout from EU Login.
+    And I click "Log in"
+    And I click "EU Login"
+    And I click "Logout"
+
+    Given I am logged in as a user with the "administer authentication configuration" permission
+    When I am on "the Authentication configuration page"
+    And I uncheck "Block newly created users if the site requires admin approval"
+    Then I press the "Save configuration" button
+
+    Given I am an anonymous user
+    When I am on the homepage
+    And I click "Log in"
+    And I click "EU Login"
+    And I click "European Commission"
+    And I fill in "Username or e-mail address" with "texasranger@chucknorris.com.eu"
+    And I fill in "Password" with "Qwerty098"
+    And I press the "Login!" button
+    Then I should be on the homepage
+    And I should see the link "Log out"