user_roles merge

app/controllers/redmine_oauth_controller.rb

@@ -130,6 +130,38 @@ def oauth_callback
     end
     raise StandardError, l(:oauth_no_verified_email) unless email
 
+    # Roles
+    Rails.logger.debug { "Setting.validate_user_roles = '#{Setting.plugin_redmine_oauth[:validate_user_roles]}'" }
+    keys = Setting.plugin_redmine_oauth[:validate_user_roles]&.split('.')
+    if keys&.size&.positive?
+      Rails.logger.debug { user_info }
+      roles = user_info
+      while keys.size.positive?
+        key = keys.shift
+        Rails.logger.debug { "key: #{key}" }
+        unless roles.key?(key)
+          Rails.logger.debug { 'Key not found => access denied' }
+          roles = []
+          break
+        end
+        roles = roles[key]
+      end
+      roles = roles.to_a
+      Rails.logger.debug { "Roles: #{roles.join(',')}" }
+      if roles.blank? || roles.exclude?('user')
+        Rails.logger.debug { 'user role not found => access denied' }
+        Rails.logger.info 'Authentication failed due to a missing role in the token'
+        params[:username] = email
+        invalid_credentials
+        raise StandardError, l(:notice_account_invalid_credentials)
+      else
+        @admin = roles.to_a.include?('admin')
+        Rails.logger.debug { "admin = #{@admin}" }
+      end
+    end
+
+    # Try to log in
+    Rails.logger.debug { "try_to_log_in #{email}" }
     try_to_login email, user_info
   rescue StandardError => e
     Rails.logger.error e.message
@@ -199,6 +231,10 @@ def try_to_login(email, info)
       invalid_credentials
       raise StandardError, l(:notice_account_invalid_credentials)
     end
+    return if @admin.nil?
+
+    user.admin = @admin
+    Rails.logger.error(user.errors.full_messages.to_sentence) unless user.save
   end
 
   def oauth_client

app/views/settings/_oauth_settings.html.erb

@@ -118,6 +118,11 @@
         <em class="info"><%= l(:label_default) %>: family_name</em>
       </p>
     </div>
+    <p>
+      <label><%= l(:oauth_validate_user_roles) %></label>
+      <%= text_field_tag 'settings[validate_user_roles]', @settings[:validate_user_roles], size: 40 %>
+      <em class="info"><%= l(:oauth_validate_user_roles_info) %></em>
+    </p>
     <p>
       <label><%= l(:oauth_hide_login_form) %></label>
       <%= check_box_tag 'settings[hide_login_form]', true, @settings[:hide_login_form] %>

config/locales/cs.yml

@@ -58,4 +58,8 @@ cs:
   oauth_logout: OAuth odhlášení
   oauth_logout_info: Odhlásit se také od poskytovatele OAuth po dohlášení z Redminu
   oauth_custom_logout_endpoint: Endpoint odhlášení
-  oauth_custom_logout_endpoint_info: Endpoint pro odhlášení od poskytovatele
+  oauth_custom_logout_endpoint_info: Endpoint pro odhlášení od poskytovatele
+  oauth_validate_user_roles_info: "Klíč, kde jsou definované role v tokenu. Pokud je nastaveno, tak 'user' role povolí
+    přihlášení, 'admin' přidělí práva administrátora. Jestliže role 'user' není uvedena, přístup je odmítnut. Jestliže
+    chybí role 'admin', práva administrátora jsou odebrána. př.: Zadejte 'resource_access.redmine.roles', když máte
+    v tokenu nakonfigurováno toto: 'resource_access': { 'redmine': { 'roles': ['user', 'admin'] } }."

config/locales/de.yml

@@ -58,4 +58,8 @@ de:
   oauth_logout: OAuth-Abmeldung
   oauth_logout_info: Abmelden auch vom OAuth-Anbieter nach der Redmine-Abmeldung
   oauth_custom_logout_endpoint: Abmeldung-Endpoint
-  oauth_custom_logout_endpoint_info: Abmeldung-Endpoint für Abmeldung vom OAuth-Anbieter
+  oauth_custom_logout_endpoint_info: Abmeldung-Endpoint für Abmeldung vom OAuth-Anbieter
+  oauth_validate_user_roles_info: "A key, where user roles are present in the token. If set, 'user' role grants access, 
+      'admin' grants admin rights. If 'user' role is not present, access is denied. If 'admin role is missing, admin 
+      rights are revoked. E.g.: Enter 'resource_access.redmine.roles', if you have your token set as follows:
+      'resource_access': { 'redmine': { 'roles': ['user', 'admin'] } }"

config/locales/en.yml

@@ -59,3 +59,8 @@ en:
   oauth_logout_info: Log out from the OAuth provider too after Redmine log out
   oauth_custom_logout_endpoint: Logout endpoint
   oauth_custom_logout_endpoint_info: Application Logout endpoint
+  oauth_validate_user_roles: Validate user roles
+  oauth_validate_user_roles_info: "A key, where user roles are present in the token. If set, 'user' role grants access, 
+    'admin' grants admin rights. If 'user' role is not present, access is denied. If 'admin role is missing, admin 
+    rights are revoked. E.g.: Enter 'resource_access.redmine.roles', if you have your token set as follows:
+    'resource_access': { 'redmine': { 'roles': ['user', 'admin'] } }"

config/locales/fr.yml

@@ -58,4 +58,8 @@ fr:
   oauth_logout: OAuth logout
   oauth_logout_info: Log out from the OAuth provider too after Redmine log out
   oauth_custom_logout_endpoint: Logout endpoint
-  oauth_custom_logout_endpoint_info: Application Logout endpoint
+  oauth_custom_logout_endpoint_info: Application Logout endpoint
+  oauth_validate_user_roles_info: "A key, where user roles are present in the token. If set, 'user' role grants access, 
+      'admin' grants admin rights. If 'user' role is not present, access is denied. If 'admin role is missing, admin 
+      rights are revoked. E.g.: Enter 'resource_access.redmine.roles', if you have your token set as follows:
+      'resource_access': { 'redmine': { 'roles': ['user', 'admin'] } }"

init.rb

@@ -55,6 +55,7 @@
     custom_lastname_field: 'family_name',
     update_login: nil,
     oauth_logout: nil,
-    custom_logout_endpoint: ''
+    custom_logout_endpoint: '',
+    validate_user_roles: ''
   }, partial: 'settings/oauth_settings'
 end