6936 Implement email domain based groups #6974
Conversation
… to use in some places. IQSS#6936
…tructure. Still lacking tests, API endpoints etc. IQSS#6936
…ction function static. IQSS#6936
… included in group searches. IQSS#6936
…N parsing/printing). IQSS#6936
… service and entity layer. IQSS#6936
…Lacking deletion support. IQSS#6936
…the extended exception handling. IQSS#6936
…of MailDomainGroup. IQSS#6936
…group alias as the identifier everywhere. IQSS#6936
poikilotherm
added
Type: Feature
…NGLE_TABLE inheritance strategy. IQSS#6936
|
This is done I think. Can somebody please do a review? Thx! |
Will do, thank you! |
| @@ -546,6 +546,7 @@ public void sendConfirmEmail() { | |||
|
|
|||
| /** | |||
| * Determines whether the button to send a verification email appears on user page | |||
| * TODO: cant this be refactored to use confirmEmailService.hasVerifiedEmail(currentUser) ? | |||
There was a problem hiding this comment.
Somebody else here has pointed out that there is a connection with issue #3438; in a sense that, if we rely on users having verified emails for the purposes of group membership, not being able to verify it becomes more of an issue.
Since you have been using these email groups in production, have you done anything to address #3438? (one possible solutions appear to be to just always show this button below - ?)
There was a problem hiding this comment.
Nope, I didn't. I was going to lean on auth provider support for this. Is this still an issue? It's 4 years old and a lot happened since then. If we encounter these problems again, I could take a look at this...
There was a problem hiding this comment.
It appears that it has never been fixed precisely because it was not much of a serious issue for anyone (I didn't have any recollection of it). And form what I'm reading, that condition only happens if a user tries to refresh the page at the wrong time during the verification... The fact that you haven't heard many complaints about it is somewhat reassuring.
We'll address #3438, now that we have an extra reason to do so. I asked in part because I was wondering if the refactoring you suggested in the comment above might by itself solve it - but no, I don't think so.
|
Yeeeeehaw! 🤠 Thanks for merging @kcondon |
What this PR does / why we need it:
Next to explicit groups, IP groups and Shibboleth groups, there is another valuable source of information to which association a user belongs to: a verified email.
Based on the domain part of the email, it's very easy to create groups based on affiliations. This might be handy for installations like the one from Leuven, where different universities share one instance (multi-tenancy). Our use case @ FZJ is to be able to open up for collaboration while automatically granting some rights to staff.
As this is independent from Shibboleth, this might be good for other instances like WZB (ping @RightInTwo), that create users via API.
Which issue(s) this PR closes:
Closes #6936
Special notes for your reviewer:
This is not only introducing a new group provider, but also refactors some other places in the codebase. Some noteable places:
ExceptionMappers in REST API endpoints. There are a lot of places with lots of boilerplate and catch all like try-catch code. This makes the code more verbose and violates DRY principle. Obviously I didn't touch too much of other code to keep the scope of this PR as small as possible. (But didn't want to encourage the use of catch-alls any further...)Suggestions on how to test this:
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Nope.
Is there a release notes update needed for this change?:
It should be mentioned this is a new option to create groups of people.
Additional documentation:
Nada.