Regression: Users must exist before they can be added to roles

[cjcolvar]

The default role mapper allowed a username to be added to a role before a user has registered.

We use this for people wanting access to our test server. They email us requesting access, we add them to a role, and send them an email with instructions for how to create an account through IU's CAS.

Another use case would be students or TAs that you want added to a role before a term starts and not have to negotiate with each one to add them to a role after they have registered with the system.

The existing behavior could be easily restored by creating a user when they are added to a group and this works in our system which uses devise+omniauth but wouldn't with default devise. Is there a better way to provide for this use case?

[jcoyne]

I can't imagine how this could be a use case with default devise. If they haven't made an account, I wouldn't know how to add them to a role, because they haven't yet been assigned a username/email.

[mbklein]

We're already doing this in Avalon with OmniAuth + Devise, and we haven't done anything funky to Devise to make it work. Users are identified by a string (username, email address, whatever). The table that links users to roles uses the username string instead of the id field from the user table. That way, we can add users to roles by ID before they exist in the User table. This works because they have a university-assigned User ID, and their User record is initialized with it the first time they successfully log in using institutional authentication.

For example, Alice's Northwestern NetID is abc123 whether our Hydra head knows it yet or not. I should be able to add abc123 to an administrator group before she's in the User table, because I know for certain what her ID will be when she finally gets here. I can't necessarily create the User entry beforehand, though, because it gets initialized with additional LDAP information that I won't have access to until she logs in and it shows up in her OmniAuth session.

[jcoyne]

@mbklein That approach sounds like it works pretty well.

[jrgriffiniii]

After discussing this with @cjcolvar , it was determined that this was an extremely low priority, and could be closed until it is revisited for a future release.