X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5650d4363cf788affbf1b72771111ea856258c12..0df7a1c38affbc50a9c7d8834f9822e398860d91:/services/api/app/controllers/user_sessions_controller.rb

diff --git a/services/api/app/controllers/user_sessions_controller.rb b/services/api/app/controllers/user_sessions_controller.rb
index eaaf7b5b93..3d4b05af4a 100644
--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -1,7 +1,8 @@
 class UserSessionsController < ApplicationController
-  before_filter :require_auth_scope_all, :only => [ :destroy ]
+  before_filter :require_auth_scope, :only => [ :destroy ]
 
   skip_before_filter :find_object_by_uuid
+  skip_before_filter :render_404_if_no_object
 
   respond_to :html
 
@@ -20,6 +21,22 @@ class UserSessionsController < ApplicationController
     end
 
     user = User.find_by_identity_url(omniauth['info']['identity_url'])
+    if not user
+      # Check for permission to log in to an existing User record with
+      # a different identity_url
+      Link.where("link_class = ? and name = ? and tail_uuid = ? and head_uuid like ?",
+                 'permission',
+                 'can_login',
+                 omniauth['info']['email'],
+                 User.uuid_like_pattern).each do |link|
+        if prefix = link.properties['identity_url_prefix']
+          if prefix == omniauth['info']['identity_url'][0..prefix.size-1]
+            user = User.find_by_uuid(link.head_uuid)
+            break if user
+          end
+        end
+      end
+    end
     if not user
       # New user registration
       user = User.new(:email => omniauth['info']['email'],
@@ -31,6 +48,10 @@ class UserSessionsController < ApplicationController
       user.email = omniauth['info']['email']
       user.first_name = omniauth['info']['first_name']
       user.last_name = omniauth['info']['last_name']
+      if user.identity_url.nil?
+        # First login to a pre-activated account
+        user.identity_url = omniauth['info']['identity_url']
+      end
     end
 
     # prevent ArvadosModel#before_create and _update from throwing
@@ -100,7 +121,8 @@ class UserSessionsController < ApplicationController
     api_client_auth = ApiClientAuthorization.
       new(user: user,
           api_client: @api_client,
-          created_by_ip_address: remote_ip)
+          created_by_ip_address: remote_ip,
+          scopes: ["all"])
     api_client_auth.save!
 
     if callback_url.index('?')