diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 2d26703c..816e9074 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -11,6 +11,11 @@ def create end if new_eid_identity? + unless fully_represents_subject? + render :insufficient_representation, locals: { eid_token: eid_token } + return + end + render :new_eid_identity, locals: { eid_token: eid_token } return end @@ -27,12 +32,16 @@ def create if eid_identity_approval? assertion = Upvs::Assertion.assertion(eid_token) - user.update!( - eid_sub: eid_sub_from_auth, - subject_name: assertion.subject_name, - subject_cin: assertion.subject_cin, - subject_edesk_number: assertion.subject_edesk_number, - ) + if assertion + user.update!( + eid_sub: eid_sub_from_auth, + subject_name: assertion.subject_name, + subject_cin: assertion.subject_cin, + subject_edesk_number: assertion.subject_edesk_number, + ) + else + user.update!(eid_sub: eid_sub_from_auth) + end end unless should_keep_eid_token_in_session?(user.eid_sub) @@ -105,4 +114,9 @@ def after_login_redirect_path return session[:after_login_callback] if session[:after_login_callback]&.start_with?("/") # Only allow local redirects root_path end + + def fully_represents_subject? + assertion = Upvs::Assertion.assertion(eid_token) + assertion&.fully_represents_subject? + end end diff --git a/app/models/upvs/assertion.rb b/app/models/upvs/assertion.rb index fb77c53e..607bd08d 100644 --- a/app/models/upvs/assertion.rb +++ b/app/models/upvs/assertion.rb @@ -1,7 +1,17 @@ module Upvs class Assertion include ActiveModel::Model - attr_accessor(:raw, :subject_name, :subject_id, :subject_cin, :subject_edesk_number) + attr_accessor(:raw, :subject_name, :subject_id, :subject_cin, :subject_edesk_number, :delegation_type) + + DELEGATION_TYPES = { + legal_representation: '0', + full_representation: '1', + partial_representation: '2', + } + + def fully_represents_subject? + delegation_type&.to_s&.in?(full_representations) + end def self.new_from_xml(raw:) return unless raw @@ -19,6 +29,7 @@ def self.new_from_xml(raw:) subject_id: doc_attrs.detect{|n| n['Name'] == 'SubjectID' }&.xpath('AttributeValue')&.text, subject_cin: doc_attrs.detect{|n| n['Name'] == 'Subject.ICO' }&.xpath('AttributeValue')&.text, subject_edesk_number: doc_attrs.detect{|n| n['Name'] == 'Subject.eDeskNumber' }&.xpath('AttributeValue')&.text, + delegation_type: doc_attrs.detect{|n| n['Name'] == 'DelegationType' }&.xpath('AttributeValue')&.text, ) end @@ -47,6 +58,14 @@ def self.get_from_sk_api(client, url, eid_token) nil end + private + + def full_representations + [ + DELEGATION_TYPES[:legal_representation], + DELEGATION_TYPES[:full_representation], + ] + end class SkApiError < StandardError end diff --git a/app/views/sessions/insufficient_representation.html.erb b/app/views/sessions/insufficient_representation.html.erb new file mode 100644 index 00000000..a3940009 --- /dev/null +++ b/app/views/sessions/insufficient_representation.html.erb @@ -0,0 +1,9 @@ +<%= content_for :title, build_page_title('Chyba pri prihlasovaní') %> + +
+
+

Nastala chyba pri prihlasovaní

+ +

Nemáte dostatočné oprávnenia aby ste mohli reprezentovať zvolený subjekt.

+
+