BAP-14126: User is unable to login when it is not assigned to organiz…

…… (#8951)

src/Oro/Bundle/SecurityBundle/Authentication/Provider/UsernamePasswordOrganizationAuthenticationProvider.php

@@ -45,9 +45,7 @@ public function authenticate(TokenInterface $token)
         $user         = $authenticatedToken->getUser();
         $organization = $guesser->guess($user, $token);
 
-        if (!$organization) {
-            throw new BadCredentialsException("You don't have active organization assigned.");
-        } elseif (!$user->getOrganizations(true)->contains($organization)) {
+        if ($organization && !$user->getOrganizations(true)->contains($organization)) {
             throw new BadCredentialsException(
                 sprintf("You don't have access to organization '%s'", $organization->getName())
             );

src/Oro/Bundle/UserBundle/Exception/OrganizationException.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Oro\Bundle\UserBundle\Exception;
+
+use Symfony\Component\Security\Core\Exception\AccountStatusException;
+
+class OrganizationException extends AccountStatusException
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getMessageKey()
+    {
+        return 'You don\'t have active organization assigned.';
+    }
+}

src/Oro/Bundle/UserBundle/Resources/translations/security.en.yml

@@ -1,2 +1,3 @@
 "Invalid credentials.": "Invalid user name or password."
 "Password has been changed.": "Your password was updated by administrator. You should have received an email with your new password."
+"You don't have active organization assigned.": "You don't have active organization assigned."

src/Oro/Bundle/UserBundle/Security/UserChecker.php

@@ -13,6 +13,7 @@
 use Oro\Bundle\UserBundle\Entity\UserManager;
 use Oro\Bundle\UserBundle\Exception\PasswordChangedException;
 use Oro\Bundle\UserBundle\Exception\CredentialsResetException;
+use Oro\Bundle\UserBundle\Exception\OrganizationException;
 
 class UserChecker extends BaseUserChecker
 {
@@ -40,6 +41,23 @@ public function __construct(
         $this->translator          = $translator;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function checkPostAuth(UserInterface $user)
+    {
+        parent::checkPostAuth($user);
+
+        if ($user instanceof User && null !== $user->getAuthStatus()) {
+            if (!$this->hasOrganization($user)) {
+                $exception = new OrganizationException();
+                $exception->setUser($user);
+
+                throw $exception;
+            }
+        }
+    }
+
     /**
      * {@inheritdoc}
      */
@@ -74,4 +92,14 @@ public function checkPreAuth(UserInterface $user)
             throw $exception;
         }
     }
+
+    /**
+     * @param User $user
+     *
+     * @return bool
+     */
+    protected function hasOrganization(User $user)
+    {
+        return $user->getOrganizations(true)->count() > 0;
+    }
 }

src/Oro/Bundle/UserBundle/Tests/Unit/Security/UserCheckerTest.php

@@ -7,6 +7,7 @@
 
 use Oro\Bundle\EntityConfigBundle\DependencyInjection\Utils\ServiceLink;
 use Oro\Bundle\UserBundle\Security\UserChecker;
+use Oro\Bundle\UserBundle\Tests\Unit\Stub\OrganizationStub;
 use Oro\Bundle\UserBundle\Tests\Unit\Stub\UserStub as User;
 
 class UserCheckerTest extends \PHPUnit_Framework_TestCase
@@ -83,6 +84,22 @@ public function testCheckPreAuth(UserInterface $user, $getTokenCalls, $token, $e
         $this->userChecker->checkPreAuth($user);
     }
 
+    /**
+     * @param UserInterface $user
+     * @param boolean       $exceptionThrown
+     *
+     * @dataProvider checkPostAuthProvider
+     */
+    public function testCheckPostAuth(UserInterface $user, $exceptionThrown)
+    {
+        if ($exceptionThrown) {
+            $this->expectException('Oro\Bundle\UserBundle\Exception\OrganizationException');
+            $this->expectExceptionMessage('');
+        }
+
+        $this->userChecker->checkPostAuth($user);
+    }
+
     public function checkPreAuthProvider()
     {
         $data = [];
@@ -137,4 +154,36 @@ public function checkPreAuthProvider()
 
         return $data;
     }
+
+    public function checkPostAuthProvider()
+    {
+        $data = [];
+
+        $user = $this->createMock('Symfony\Component\Security\Core\User\UserInterface');
+        $data['invalid_user_class'] = [
+            'user' => $user,
+            'exceptionThrown' => false,
+        ];
+
+        $organization = new OrganizationStub();
+        $organization->setEnabled(true);
+        $user1 = new User();
+        $user1->addOrganization($organization);
+        $authStatus = $this->createMock('Oro\Bundle\EntityExtendBundle\Entity\AbstractEnumValue');
+        $user1->setAuthStatus($authStatus);
+        $data['with_organization'] = [
+            'user' => $user1,
+            'exceptionThrown' => false,
+        ];
+
+        $user2 = new User();
+        $authStatus = $this->createMock('Oro\Bundle\EntityExtendBundle\Entity\AbstractEnumValue');
+        $user2->setAuthStatus($authStatus);
+        $data['without_organization'] = [
+            'user' => $user2,
+            'exceptionThrown' => true,
+        ];
+
+        return $data;
+    }
 }

src/Oro/Bundle/UserBundle/Tests/Unit/Stub/OrganizationStub.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Oro\Bundle\UserBundle\Tests\Unit\Stub;
+
+use Oro\Bundle\OrganizationBundle\Entity\Organization;
+
+class OrganizationStub extends Organization
+{
+    /**
+     * @param int $id
+     */
+    public function setId($id)
+    {
+        $this->id = $id;
+    }
+}