From fca80a4d2709bcc49b2388579199fb5a74b0efb3 Mon Sep 17 00:00:00 2001
From: Andrej Shadura <andrew.shadura@collabora.co.uk>
Date: Wed, 4 May 2022 09:54:07 +0100
Subject: [PATCH] Allow new SSO logins in "deny" mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The can_register check is actually only suitable for preventing new
unverified registrations; in SSO mode, we normally trust the SSO
provider have performed the checks and only gives us users we’re
supposed to let in.

Ideally, this should be a separate set of settings to allow e.g.
optionally requiring confirmation on SSO logins or to configure
different levels of trust per SSO provider.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
---
 .../webui/session/sso_confirm.html.haml       | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/src/api/app/views/webui2/webui/session/sso_confirm.html.haml b/src/api/app/views/webui2/webui/session/sso_confirm.html.haml
index 04ea69daac..2b73154538 100644
--- a/src/api/app/views/webui2/webui/session/sso_confirm.html.haml
+++ b/src/api/app/views/webui2/webui/session/sso_confirm.html.haml
@@ -3,15 +3,12 @@
 .card
   .card-body#loginform
     .col-lg-6.pl-0
-      - if can_register
-        %h3= @pagetitle
-        %p Since this is your first time you sign in, you need to choose your username.
-        = form_tag({ controller: 'session', action: 'sso_confirm', method: :post }, class: 'sign-up', autocomplete: 'off') do
-          .form-group
-            = label_tag 'login', 'Username:'
-            %abbr.text-danger{ title: 'required' } *
-            = text_field_tag 'login', @derived_username, placeholder: 'Username', autocomplete: 'off', class: 'form-control', required: true
-          = submit_tag('Confirm and Log In', class: 'btn btn-primary')
-      - else
-        %p Sorry, only existing users can sign in.
+      %h3= @pagetitle
+      %p Since this is your first time you sign in, you need to choose your username.
+      = form_tag({ controller: 'session', action: 'sso_confirm', method: :post }, class: 'sign-up', autocomplete: 'off') do
+        .form-group
+          = label_tag 'login', 'Username:'
+          %abbr.text-danger{ title: 'required' } *
+          = text_field_tag 'login', @derived_username, placeholder: 'Username', autocomplete: 'off', class: 'form-control', required: true
+        = submit_tag('Confirm and Log In', class: 'btn btn-primary')
 
-- 
GitLab