Do not change group after authorization, Russian locale

app/models/oic_session.rb

@@ -72,6 +72,10 @@ def self.get_token(query)
     )
   end
 
+  def self.dont_change_group?
+    client_config['dont_change_group']
+  end
+
   def get_access_token!
     response = self.class.get_token(access_token_query)
     if response["error"].blank?
@@ -136,7 +140,7 @@ def check_keycloak_role(role)
     if user["resource_access"].present? && user["resource_access"][client_config['client_id']].present?
       kc_is_in_role = user["resource_access"][client_config['client_id']]["roles"].include?(role)
     end
-    return true if kc_is_in_role 
+    return true if kc_is_in_role
   end
 
   def authorized?
@@ -152,7 +156,7 @@ def authorized?
 
     if client_config['group'].present?
        return true if user["member_of"].present? && user["member_of"].include?(client_config['group'])
-       return true if user["roles"].present? && user["roles"].include?(client_config['group']) || user["roles"].include?(client_config['admin_group']) 
+       return true if user["roles"].present? && user["roles"].include?(client_config['group']) || user["roles"].include?(client_config['admin_group'])
     end
 
     return false
@@ -163,13 +167,13 @@ def admin?
       if user["member_of"].present?
         return true if user["member_of"].include?(client_config['admin_group'])
       end
-      if user["roles"].present? 
+      if user["roles"].present?
         return true if user["roles"].include?(client_config['admin_group'])
       end
       # keycloak way...
       return true if check_keycloak_role client_config['admin_group']
     end
-    
+
     return false
   end
 
@@ -235,7 +239,7 @@ def end_session_query
       'session_state' => session_state,
       'post_logout_redirect_uri' => "#{host_name}/oic/local_logout",
     }
-    if id_token.present? 
+    if id_token.present?
       query['id_token_hint'] = id_token
     end
    return query

app/views/settings/_redmine_openid_connect_settings.html.erb

@@ -25,6 +25,11 @@
   <%= text_field_tag 'settings[scopes]', @settings['scopes'], :size => '60' %>
 </p>
 
+<p>
+  <label><%= t('config.dont_change_group') %></label>
+  <%= check_box_tag 'settings[dont_change_group]', true, @settings['dont_change_group'] %>
+</p>
+
 <p>
   <label><%= t('config.group') %></label>
   <%= text_field_tag 'settings[group]', @settings['group'] %>

config/locales/en.yml

@@ -8,6 +8,8 @@ en:
     openid_connect_server_url: OpenID Connect server url
     scopes: OpenID Connect scopes (comma-separated)
     client_secret: Client Secret
+    disable_ssl_validation: Disable SSL validation
+    dont_change_group: Do not change group
     group: Authorized group (blank if all users are authorized)
     admin_group: Admins group (members of this group are treated as admin)
     dynamic_config_expiry: How often to retrieve openid configuration (default 1 day)

config/locales/ru.yml

@@ -0,0 +1,22 @@
+# Russian strings go here for Rails i18n
+ru:
+  config:
+    enabled: Включен
+    login_selector: Показывать форму авторизации
+    header: Настройка OpenID Connect
+    client_id: ID клиента
+    openid_connect_server_url: URL сервера OpenID Connect
+    scopes: OpenID Connect scopes (через запятую)
+    client_secret: Client Secret
+    disable_ssl_validation: Выключить валидацию SSL
+    dont_change_group: Не менять группу после авторизации
+    group: Авторизованная группу (оставьте пустым, если все пользователи авторизованы)
+    admin_group: Административная группу (пользователи этой группы будут назначены администраторами)
+    dynamic_config_expiry: Как часто получать конфигурацию openid (по умолчанию 1 день)
+    create_user_if_not_exists: Создать пользователя, если он не существует
+    disallowed_auth_sources_login: Пользователи из следующих источников аутентификации должны будут войти в систему с помощью SSO.
+  oic_logout_success: 'Вы вышли из системы. <a href="%{value}">Войти снова</a>.'
+  oic_cannot_create_user: "Не удалось создать пользователя %{value}: "
+  oic_try_another_account: "<a href='%{value}'>Попробуйте войти с другой учетной записью</a>"
+  oic_cannot_login_user: "Пользователю %{value} не удалось войти: пожалуйста, войдите, используя опцию SSO"
+  button_login_sso: Войти с помощью SSO

lib/redmine_openid_connect/account_controller_patch.rb

@@ -22,7 +22,7 @@ def logout
     rescue ActiveRecord::RecordNotFound => e
       redirect_to oic_local_logout_url
     end
-    
+
     # performs redirect to SSO server
     def oic_login
       if session[:oic_session_id].blank?
@@ -93,7 +93,7 @@ def oic_local_login
         if user.nil?
           if !OicSession.create_user_if_not_exists?
             flash.now[:warning] ||= l(:oic_cannot_create_user, value: user_info["email"])
-            
+
             logger.warn "Could not create user #{user_info["email"]}, the system is not allowed to create new users through openid"
             flash.now[:warning] += "The system is not allowed to create new users through openid"
 
@@ -126,7 +126,9 @@ def oic_local_login
           user.assign_attributes attributes
 
           if user.save
-            user.update_attribute(:admin, oic_session.admin?)
+            if !OicSession.dont_change_group?
+              user.update_attribute(:admin, oic_session.admin?)
+            end
             oic_session.user_id = user.id
             oic_session.save!
             # after user creation just show "My Page" don't redirect to remember
@@ -140,7 +142,9 @@ def oic_local_login
             return invalid_credentials
           end
         else
-          user.update_attribute(:admin, oic_session.admin?)
+          if !OicSession.dont_change_group?
+            user.update_attribute(:admin, oic_session.admin?)
+          end
           oic_session.user_id = user.id
           oic_session.save!
           # redirect back to initial URL