Improved handling of users not verified and without profile (except superusers)

zonia3000 · zonia3000 · commit c0c4050594c8 · 2025-10-29T10:51:23.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@
     * Merged "My Profile" and "My settings" pages;
 * Merged user settings into user (\#862);
 * Adapted to OAuth2 changes (\#862);
+* Handled user without profile as not verified users (\#862);
 
 # 1.20.0
 
diff --git a/src/hooks.server.js b/src/hooks.server.js
@@ -83,8 +83,8 @@ export async function handle({ event, resolve }) {
 		if (userInfo === null) {
 			logger.debug('Authentication required - No auth cookie found - Redirecting to login');
 			redirect(302, '/auth/login?invalidate=true');
-		} else if (userInfo.profile_id === null) {
-			logger.debug('User without profile - Redirecting to home');
+		} else if (!userInfo.is_superuser && (userInfo.profile_id === null || !userInfo.is_verified)) {
+			logger.debug('User not verified or without profile - Redirecting to home');
 			redirect(302, '/');
 		}
 	}
diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte
@@ -124,7 +124,6 @@
 	const server = $derived(page.data.serverInfo || {});
 	const warningBanner = $derived(page.data.warningBanner);
 	const userEmail = $derived(userLoggedIn ? page.data.userInfo.email : undefined);
-	const isVerified = $derived(userLoggedIn && page.data.userInfo.is_verified);
 </script>
 
 <main>
@@ -216,19 +215,6 @@
 			</div>
 		</div>
 	{/if}
-	{#if userLoggedIn && !isVerified}
-		<div class="container mt-3">
-			<div class="row">
-				<div class="col">
-					<div class="alert alert-warning">
-						<i class="bi bi-exclamation-triangle"></i>
-						<strong>Warning</strong>: as a non-verified user, you have limited access; please
-						contact an admin.
-					</div>
-				</div>
-			</div>
-		</div>
-	{/if}
 	{@render children?.()}
 	<div class="d-flex flex-column min-vh-100 min-vw-100 loading" class:show={$navigating || loading}>
 		<div class="d-flex flex-grow-1 justify-content-center align-items-center">
diff --git a/src/routes/+page.svelte b/src/routes/+page.svelte
@@ -23,8 +23,9 @@
 </script>
 
 <div class="container mt-3">
-	{#if userInfo && userInfo.profile_id === null}
+	{#if userInfo && !userInfo.is_superuser && (userInfo.profile_id === null || !userInfo.is_verified)}
 		<div class="alert alert-warning">
+			<i class="bi bi-exclamation-triangle"></i>
 			This user is not authorized to use this Fractal instance - please contact {env.PUBLIC_FRACTAL_ADMIN_SUPPORT_EMAIL}.
 		</div>
 	{/if}
diff --git a/src/routes/auth/login/+page.svelte b/src/routes/auth/login/+page.svelte
@@ -90,12 +90,13 @@
 						{#if oauth2Provider}
 							<h2 class="accordion-header">
 								<button
-									class="accordion-button collapsed"
+									class="accordion-button"
 									type="button"
 									data-bs-toggle="collapse"
 									data-bs-target="#localLoginCollapse"
 									aria-expanded="false"
 									aria-controls="localLoginCollapse"
+									class:collapsed={!form?.invalidMessage}
 								>
 									Log in with username & password
 								</button>
@@ -104,7 +105,7 @@
 						<div
 							id="localLoginCollapse"
 							class="accordion-collapse collapse"
-							class:show={!oauth2Provider}
+							class:show={!oauth2Provider || form?.invalidMessage}
 						>
 							<div class="accordion-body">
 								<form method="POST">
diff --git a/tests/admin_without_profile.spec.js b/tests/admin_without_profile.spec.js
@@ -0,0 +1,75 @@
+import { expect, test } from '@playwright/test';
+import { login, logout, waitModal, waitPageLoading } from './utils.js';
+
+// Reset storage state for this file to avoid being authenticated
+test.use({ storageState: { cookies: [], origins: [] } });
+
+test('Admin without profile', async ({ page }) => {
+	const randomValue = Math.random().toString(36).substring(7);
+	const randomEmail = `${randomValue}@example.com`;
+
+	await test.step('Login as admin and create test user', async () => {
+		await login(page, 'admin@fractal.xy', '1234');
+		await page.goto('/v2/admin/users/register');
+		await waitPageLoading(page);
+		await page.getByRole('textbox', { name: 'E-mail' }).fill(randomEmail);
+		await page.getByRole('textbox', { name: 'Password', exact: true }).fill('1234');
+		await page.getByRole('textbox', { name: 'Confirm password' }).fill('1234');
+		await page.getByRole('textbox', { name: 'Project dir' }).fill('/tmp');
+		await page.getByRole('button', { name: 'Save' }).first().click();
+		await page.waitForURL(/\/v2\/admin\/users\/\d+\/edit/);
+	});
+
+	await test.step('Grant superuser privileges and unset the profile', async () => {
+		await page.getByLabel('Superuser').check();
+
+		// Unset the profile
+		await page
+			.getByRole('combobox', { name: 'Select resource' })
+			.selectOption('Select resource...');
+		await expect(page.getByRole('combobox', { name: 'Select profile' })).toBeDisabled();
+		await expect(page.getByRole('combobox', { name: 'Select profile' })).toHaveValue('');
+
+		await page.getByRole('button', { name: 'Save' }).click();
+
+		const modal = await waitModal(page);
+		await modal.getByRole('button', { name: 'Confirm' }).click();
+
+		await expect(page.getByText('User successfully updated')).toBeVisible();
+	});
+
+	await test.step('Login as test user', async () => {
+		await logout(page, 'admin@fractal.xy');
+
+		await page.goto('/auth/login');
+		await waitPageLoading(page);
+		await page.getByRole('button', { name: 'Log in with username & password' }).click();
+		await page.getByLabel('Email address').fill(randomEmail);
+		await page.getByLabel('Password').fill('1234');
+		await page.getByRole('button', { name: 'Log in', exact: true }).click();
+
+		await page.waitForURL(/\/v2\/projects/);
+
+		await expect(page.getByText(/Forbidden access/)).toBeVisible();
+	});
+
+	await test.step('Set user profile', async () => {
+		await page.goto('/v2/admin/users');
+		await waitPageLoading(page);
+
+		await page.getByRole('row', { name: randomEmail }).getByRole('link', { name: 'Edit' }).click();
+
+		await page.getByRole('combobox', { name: 'Select resource' }).selectOption('Local resource');
+		await page.getByRole('combobox', { name: 'Select profile' }).selectOption('Local profile');
+		await page.getByRole('button', { name: 'Save' }).click();
+		await expect(page.getByText('User successfully updated')).toBeVisible();
+	});
+
+	await test.step('Check projects page', async () => {
+		await page.goto('/v2/projects');
+		await waitPageLoading(page);
+
+		await expect(page.getByRole('button', { name: 'Create new project' })).toBeVisible();
+		await logout(page, randomEmail);
+	});
+});
diff --git a/tests/user_not_active.spec.js b/tests/user_not_active.spec.js
@@ -0,0 +1,42 @@
+import { expect, test } from '@playwright/test';
+import { login, logout, waitPageLoading } from './utils.js';
+
+// Reset storage state for this file to avoid being authenticated
+test.use({ storageState: { cookies: [], origins: [] } });
+
+test('User not active', async ({ page }) => {
+	const randomValue = Math.random().toString(36).substring(7);
+	const randomEmail = `${randomValue}@example.com`;
+
+	await test.step('Login as admin and create test user', async () => {
+		await login(page, 'admin@fractal.xy', '1234');
+		await page.goto('/v2/admin/users/register');
+		await waitPageLoading(page);
+		await page.getByRole('textbox', { name: 'E-mail' }).fill(randomEmail);
+		await page.getByRole('textbox', { name: 'Password', exact: true }).fill('1234');
+		await page.getByRole('textbox', { name: 'Confirm password' }).fill('1234');
+		await page.getByRole('combobox', { name: 'Select resource' }).selectOption('Local resource');
+		await page.getByRole('combobox', { name: 'Select profile' }).selectOption('Local profile');
+		await page.getByRole('textbox', { name: 'Project dir' }).fill('/tmp');
+		await page.getByRole('button', { name: 'Save' }).first().click();
+		await page.waitForURL(/\/v2\/admin\/users\/\d+\/edit/);
+
+		// Uncheck the active checkbox
+		await page.getByLabel('Active').uncheck();
+		await page.getByRole('button', { name: 'Save' }).click();
+		await expect(page.getByText('User successfully updated')).toBeVisible();
+	});
+
+	await test.step('Login as test user', async () => {
+		await logout(page, 'admin@fractal.xy');
+
+		await page.goto('/auth/login');
+		await waitPageLoading(page);
+		await page.getByRole('button', { name: 'Log in with username & password' }).click();
+		await page.getByLabel('Email address').fill(randomEmail);
+		await page.getByLabel('Password').fill('1234');
+		await page.getByRole('button', { name: 'Log in', exact: true }).click();
+
+		await expect(page.getByText('Invalid credentials')).toBeVisible();
+	});
+});
diff --git a/tests/user_not_verified.spec.js b/tests/user_not_verified.spec.js
@@ -0,0 +1,48 @@
+import { expect, test } from '@playwright/test';
+import { login, logout, waitPageLoading } from './utils.js';
+
+// Reset storage state for this file to avoid being authenticated
+test.use({ storageState: { cookies: [], origins: [] } });
+
+test('User without profile', async ({ page }) => {
+	const randomValue = Math.random().toString(36).substring(7);
+	const randomEmail = `${randomValue}@example.com`;
+
+	await test.step('Login as admin and create test user', async () => {
+		await login(page, 'admin@fractal.xy', '1234');
+		await page.goto('/v2/admin/users/register');
+		await waitPageLoading(page);
+		await page.getByRole('textbox', { name: 'E-mail' }).fill(randomEmail);
+		await page.getByRole('textbox', { name: 'Password', exact: true }).fill('1234');
+		await page.getByRole('textbox', { name: 'Confirm password' }).fill('1234');
+		await page.getByRole('combobox', { name: 'Select resource' }).selectOption('Local resource');
+		await page.getByRole('combobox', { name: 'Select profile' }).selectOption('Local profile');
+		await page.getByRole('textbox', { name: 'Project dir' }).fill('/tmp');
+		await page.getByRole('button', { name: 'Save' }).click();
+		await page.waitForURL(/\/v2\/admin\/users\/\d+\/edit/);
+
+		// Uncheck the verified checkbox
+		await page.getByLabel('Verified').uncheck();
+		await page.getByRole('button', { name: 'Save' }).click();
+		await expect(page.getByText('User successfully updated')).toBeVisible();
+	});
+
+	await test.step('Login as test user', async () => {
+		await logout(page, 'admin@fractal.xy');
+
+		await page.goto('/auth/login');
+		await waitPageLoading(page);
+		await page.getByRole('button', { name: 'Log in with username & password' }).click();
+		await page.getByLabel('Email address').fill(randomEmail);
+		await page.getByLabel('Password').fill('1234');
+		await page.getByRole('button', { name: 'Log in', exact: true }).click();
+
+		await page.waitForURL('/');
+
+		await expect(
+			page.getByText(/This user is not authorized to use this Fractal instance/)
+		).toBeVisible();
+
+		await logout(page, randomEmail);
+	});
+});
diff --git a/tests/user_without_profile.spec.js b/tests/user_without_profile.spec.js
@@ -1,5 +1,5 @@
 import { expect, test } from '@playwright/test';
-import { login, logout, waitPageLoading } from '../utils.js';
+import { login, logout, waitPageLoading } from './utils.js';
 
 // Reset storage state for this file to avoid being authenticated
 test.use({ storageState: { cookies: [], origins: [] } });

Original file line number	Diff line number	Diff line change
`@@ -83,8 +83,8 @@ export async function handle({ event, resolve }) {`
`83`	`83`	`if (userInfo === null) {`
`84`	`84`	`logger.debug('Authentication required - No auth cookie found - Redirecting to login');`
`85`	`85`	`redirect(302, '/auth/login?invalidate=true');`
`86`		`- } else if (userInfo.profile_id === null) {`
`87`		`- logger.debug('User without profile - Redirecting to home');`
	`86`	`+ } else if (!userInfo.is_superuser && (userInfo.profile_id === null \|\| !userInfo.is_verified)) {`
	`87`	`+ logger.debug('User not verified or without profile - Redirecting to home');`
`88`	`88`	`redirect(302, '/');`
`89`	`89`	`}`
`90`	`90`	`}`