COmanage Developers List

[Scott Koranda <>]

Hi,

Right now in the head of develop authenticators may be established by
the enrollee during an enrollment flow.

There is, however, a constraint:

"In order for the Enrollee to be able to establish their Authenticators,
the Enrollment Flow must be configured with Email Confirmation enabled."

Indeed, the code in CoPetitionsController.php in function 

dispatch_enrollment_authenticators() 

will look for the enrollee token and throw an exception if it is not
found.

I have a use case, however, where the CO admins want users already in
the CO to be able to start and run an enrollment flow to add another
role. As part of that enrollment flow to add another role they want the
user to be prompted for (and required to upload) and SSH key. They do
not, however, require the user's email to be verified--the user already
has an active CoPerson record (further, since this is an enrollment flow
to just add a role, the petition has no email address attached to it).

In the function dispatch_enrollment_authenticators() it would be
straightforward to check, in the absence of a token, that the
authenticated user is the enrollee and already has a CoPerson record
that is active. If that were true, I think the code could skip requiring
the token, establish the authenticator, and continue on.

To be concrete, I am suggesting taking this code from lines 997-999 of
CoPetitionsController.php

        if(!$token) {
          throw new InvalidArgumentException(_txt('er.token'));
        }

and adding logic to it to check as outlined above. If it found an active
CoPerson then it would not throw the exception and continue.

(I would probably also need to adjust the calculation of the redirect a
few lines below to not include the token.)

Thoughts?

Scott