search

Green-Party-of-Canada-Members / gpc-decidim

Decidim For the Green Party of Canada
https://wedecide.green.ca/
GNU Affero General Public License v3.0
1 stars 0 forks source link

CiviCRM OAuth refinements #103

Closed BigSnicker closed 3 months ago

BigSnicker commented 1 year ago

There are two updates we'd like to consider, related to CiviCRM OAuth.

Currently, people with only Drupal accounts can be authenticated, so CiviCRM membership status is not being used. This is risky, as it could allow people with cancelled memberships to leave harmful comments. We want to enable the use of CiviCRM membership status to control participants' ability to create content.

image

  1. Using CiviCRM membership status for WeDecide privileges:
    • OAuth pulls CiviCRM membership status. Accounts without a valid CiviCRM membership are not authenticated under the CiviCRM membership authentication. (This is currently not happening)
    • In case of failure, ideally an elegant error message, along the lines of "your membership is not current"

    • image

A second, less important issue is controlling names to ensure transparency and accountability.

2 Forcing use of real names - Is there any way to have WeDecide use the names provided via OAuth, so that there's a single source of truth for user names?

BigSnicker commented 1 year ago

We tested this with the following test case:

  1. Created a new Drupal Account (e.g. test.account5@greenparty.ca)
  2. A CiviCRM contact is automatically created with no membership information (e.g. no Free, One or Three Year membership)
  3. A WeDecide/decidim participant logs-in to the newly created account (e.g. test.account5@greenparty.ca) via decidim/WeDecide OAuth
  4. The decidim log-in is successful with the decidim account's CiviCRM Membership Status Authorization as Granted <- This shouldn't be granted, as there is no valid membership status
BigSnicker commented 1 year ago

We'll be coming back to you with more specifics around this request, soon.

BigSnicker commented 1 year ago

Okay, we've tested this and Membership Type doesn't appear to be working.

We want people with valid Membership Type IDs (e.g. Free, One Year, Three Year) to be able to access certain resources.

To do this, we set the privileges like this:

image

But they don't appear to work. We get the "Error with Membership Type ID" errors.

We set Membership Type as a requirement for commenting on Workshop Proposals (for example, this one), but cannot get any accounts to comment.

BigSnicker commented 1 year ago

A modification to this work. We'd like log-ins to allowed only if the member has a valid Civi membership type.

So:

  1. Member logs-in to WeDecide via Drupal OAuth
  2. OAuth checks Membership Type ID.
  3. Authenticate participant successfully In case of Membership Type ID = Free, One Year, or Three Year
  4. In case of failure, redirect to failure page (configurable, but probably a page in the FAQs)

ALSO:

  1. Is it possible to take user names, nicknames and email via OAuth and freeze them on wedecide, preventing users from changing them?