1st time SSO login w/ no certificate and no ldap groups, no Apply to Group, no "Your Account"

[lauramengel]

A first-timer logging into a DocDB with SSO, that has no certificate and no LDAP->DocDB mappings going to the DocumentDatabase page gets no "Apply to Group" or "Your Account" link. So they have no way to request being added to some groups.

Their account line on the personal accounts page is correct: John Doe, SSO:jdoe@fnal.gov, Yes, No, None

i.e. User is verified, but has no groups, User can create: 0

So not showing "Apply to Group" and "Your Account" links for a person who has no "create" may be correct for cert, password and public versions, but for SSO, if they are verified, they should be able to apply for more access.

[lauramengel]

Ignore this for now. I made an error.

[lauramengel]

Ok. I fixed my mistake and this is still an issue, no "Apply to Groups" or "Your Account" link if user comes into SSO without cert or LDAP groups.

[ericvaandering]

Makes sense. I'll take a look this morning. Should be easy.

[ericvaandering]

I think the problem is here: https://github.com/ericvaandering/DocDB/blob/16cad43ec775563df82feb7bcd1052984a7eca7f/DocDB/cgi/Security.pm#L287 If the user is in no groups, they get Public set on them. I don't want to remove that, I don't know what the side effects would be.

I think it's safe, instead, to remove a check on public for these two items and then will see if there are additional checks in the scripts they get directed to.

[lauramengel]

Could you remove the check on "public" for the "Add to Groups" and "Your Account" links only if they are in the SSO DocDB?

The cert/password versions are working fine, so I'd rather not change those.

[ericvaandering]

That's what I did. Let me know when you want a new FNAL_sso with everything in it. I checked and it doesn't appear that the four scripts downstream of these choices that the user will use to get groups have such a check.

[lauramengel]

Let me know when you want a new FNAL_sso with everything in it. I checked and it doesn't appear that the four scripts downstream of these choices that the user will use to get groups have such a check.

Yes on making a new FNAL SSO with everything.

If you tell me the functions the 4 scripts are related to, I'll test that with the new SSO user with no groups. I suspect they are:

• new SSO user with no groups clicks on "Your Account"
• new SSO user with no groups clicks on "Apply to Groups", applies, is approved Let me know if there's something else to test.

Thanks for checking the 4 downstream scripts.

[ericvaandering]

Yes, that's exactly it. Applying for new groups and the ability to select and set preferences for a user with no groups.

[lauramengel]

Ok. I think we could call this fixed for this version. See below for details. (The "Your Account" link did not show.)

When I removed the SSO account and then came in again:

• Was able to see lists and public documents

• The "Apply to Groups" link was available and showed no groups listed. Was able to pick a group and apply for access, get added to the group (docdbadm) by admin and use the new SSO account with the new group to view docdbadm docs and admin func

• The "Preferences" link was available and I was able to make changes and the changes were still there when I went back to preferences.

• The "Your Account" link was not there. This would have allowed me to set notifications on public documents and see some account info and that I have no groups. However, production does not currently allow people with public access to set notifications on documents, so we are not losing anything. Also, I can see the same account information from the "Apply to Groups" page. So that info can be gotten another way.

So I am ok leaving this as-is and we can consider for the next version if an SSO person with no groups should see the "Your Account" link and be able to set notifications before they are in any groups.

Let me know what you think.

[lauramengel]

Once I was in a group, the preferences that I changed when I was in no groups were used successfully when I went to create a doc (I had filled in an author, chose full topic list and ordered list of docs).

[lauramengel]

Are you ok with keeping it like this for this release:

No "Your Account" link for new SSO users with no groups, but there are "Apply to Groups" and "Preferences" links and they work and show needed account info.

Main thing lost is users can not set notifications until after they are in at least one group.

[ericvaandering]

That was unintentional. There was another check on $Public and I bypassed that one too. The link should be back.

[lauramengel]

This is fixed. The "Your Account" link is now present for a new SSO user with no groups.

I was able to add notifications to the account before the account was in any groups, and the user received the notification (possibly after being added to a group, but that shouldn't matter)

[ericvaandering]

Yeah, there shouldn't be a check on if the person has any groups if the doc is public. And getting notified about public docs is no problem.