From 0c89a637dbe4181a41a1c973e0f5405a81e79b55 Mon Sep 17 00:00:00 2001
From: MontrealSergiy <sergeboroday@gmail.com>
Date: Wed, 16 Oct 2024 18:05:54 -0400
Subject: [PATCH] Align Globus bugfix with OIDC generalization #1391

Update bugfix to OICD generalization
---
 BrainPortal/app/controllers/nh_users_controller.rb    | 6 +++---
 BrainPortal/app/controllers/users_controller.rb       | 6 +++---
 BrainPortal/lib/globus_helpers.rb                     | 5 +++--
 BrainPortal/spec/controllers/users_controller_spec.rb | 4 ++--
 4 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/BrainPortal/app/controllers/nh_users_controller.rb b/BrainPortal/app/controllers/nh_users_controller.rb
index 11434fc42..cd2f17696 100644
--- a/BrainPortal/app/controllers/nh_users_controller.rb
+++ b/BrainPortal/app/controllers/nh_users_controller.rb
@@ -67,7 +67,7 @@ def edit #:nodoc:
   def change_password #:nodoc:
     @user = current_user
     if user_must_link_to_oidc?(@user)
-       cb_error "Your account can only authenticate with Globus identities.", :redirect => { :action => :myaccount }
+       cb_error "Your account can only authenticate with OpenID identities (such as Globus).", :redirect => { :action => :myaccount }
     end
   end
 
@@ -88,8 +88,8 @@ def update
     attr_to_update.delete(:zenodo_main_token)    if attr_to_update[:zenodo_main_token].blank?
 
     # Do not update password if user must use globus
-    if user_must_link_to_oidc?(@user)
-      flash[:error] = "You cannot change the password for your account." if attr_to_update[:password].present?
+    if user_must_link_to_oidc?(@user) && attr_to_update[:password]
+      flash[:error] = "You cannot change the password for your account because you should use OpenID." if attr_to_update[:password].present?
       attr_to_update.delete(:password)
       attr_to_update.delete(:password_confirmation)
     end
diff --git a/BrainPortal/app/controllers/users_controller.rb b/BrainPortal/app/controllers/users_controller.rb
index 45cdee8c2..9f9f4022d 100644
--- a/BrainPortal/app/controllers/users_controller.rb
+++ b/BrainPortal/app/controllers/users_controller.rb
@@ -386,10 +386,10 @@ def send_password #:nodoc:
     @user = User.where( :login  => params[:login], :email  => params[:email] ).first
 
     if @user
-      if user_must_link_to_globus?(@user)
+      if user_must_link_to_oidc?(@user)
         contact = RemoteResource.current_resource.support_email.presence || User.admin.email.presence || "the support staff"
-        wipe_user_password_after_globus_link(@user)  # for legacy or erroneously set users
-        flash[:error] = "Your account can only authenticate with Globus identities. Thus you are not allowed to use or reset password. Please contact #{contact} for help."
+        wipe_user_password_after_oidc_link("password-rest", @user)  # for legacy or erroneously set users
+        flash[:error] = "Your account can only authenticate with OpenID identities. Thus you are not allowed to use or reset password. Please contact #{contact} for help."
         respond_to do |format|
           format.html { redirect_to login_path }
           format.any { head :unauthorized }
diff --git a/BrainPortal/lib/globus_helpers.rb b/BrainPortal/lib/globus_helpers.rb
index 04c532504..6ae8a359c 100644
--- a/BrainPortal/lib/globus_helpers.rb
+++ b/BrainPortal/lib/globus_helpers.rb
@@ -148,8 +148,9 @@ def user_must_link_to_oidc?(user)
   end
 
   def wipe_user_password_after_oidc_link(oidc, user)
-    user.update_attribute(:crypted_password, "Wiped-By-#{oidc.name}-Link-" + User.random_string)
-    user.update_attribute(:salt            , "Wiped-By-#{oidc.name}-Link-" + User.random_string)
+    wipe_by = oidc.is_a?(String) ? "Wiped-By-#{oidc}-Link-" : "Wiped-By-#{oidc.name}-Link-"
+    user.update_attribute(:crypted_password, wipe_by + User.random_string)
+    user.update_attribute(:salt            , wipe_by + User.random_string)
     user.update_attribute(:password_reset  , false)
   end
 
diff --git a/BrainPortal/spec/controllers/users_controller_spec.rb b/BrainPortal/spec/controllers/users_controller_spec.rb
index 782860b73..47dbeadc1 100644
--- a/BrainPortal/spec/controllers/users_controller_spec.rb
+++ b/BrainPortal/spec/controllers/users_controller_spec.rb
@@ -228,13 +228,13 @@
           expect(assigns[:user].password).not_to eq(user.password)
         end
 
-        context "when the account must use Globus identification only" do
+        context "when the account must use OIDC identification only" do
 
           it "should display a message" do
             allow(mock_user).to receive(:account_locked?).and_return(true)
             allow(User).to receive_message_chain(:where, :first).and_return(mock_user)
             post :send_password, params: {:login => user.login, :email => user.email}
-            expect(flash[:error]).to match(/Globus/i)
+            expect(flash[:error]).to match(/OpenID/i)
           end
 
         end