Onboarding: Invite new users (#5714)

* Server Users: More precise message when inviting users This lets the admin who invited a new user know whether or not an email has been sent. If the SMTP server hasn't been set up, they need to share the invite link with the user. * Onboarding: Invite new users - Separates the user self-registration and invite cases - Adds invitation email for users created by the admin - Adds invitation tokens to verify user was invited - Adds handler action for invite links - Refactors `UserEventHostedService` * Remove duplicate status message from views that use the wizard layout * Auto-approve users created by an admin * Notify admins via email if a new account requires approval * Update wording * Fix update user error * Fix redirect to email confirmation in invite action * Fix precondition checks after signup * Improve admin notification Send notification only if the user does not require email confirmation or when they confirmed their email address. Rationale: We want to inform admins only about qualified users and not annoy them with bot registrations. * Allow approval alongside resending confirm email * Use user email in log messages instead of ID * Prevent unnecessary notification after email confirmation * Use ApplicationUser type explicitly * Fix after rebase * Refactoring: Do not subclass UserRegisteredEvent
2025-12-17 05:54:26 +01:00 · 2024-02-28 12:43:18 +01:00
parent 8b446e2791
commit e43b4ed540
24 changed files with 394 additions and 237 deletions
--- a/BTCPayServer/Controllers/UIServerController.Users.cs
+++ b/BTCPayServer/Controllers/UIServerController.Users.cs
@@ -9,6 +9,7 @@ using BTCPayServer.Data;
 using BTCPayServer.Events;
 using BTCPayServer.Models.ServerViewModels;
 using BTCPayServer.Services;
+using BTCPayServer.Services.Mails;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
@@ -102,7 +103,7 @@ namespace BTCPayServer.Controllers
            bool? adminStatusChanged = null;
            bool? approvalStatusChanged = null;

-            if (user.RequiresApproval && viewModel.Approved.HasValue)
+            if (user.RequiresApproval && viewModel.Approved.HasValue && user.Approved != viewModel.Approved.Value)
            {
                approvalStatusChanged = await _userService.SetUserApproval(user.Id, viewModel.Approved.Value, Request.GetAbsoluteRootUri());
            }
@@ -149,7 +150,6 @@ namespace BTCPayServer.Controllers
        [HttpGet("server/users/new")]
        public IActionResult CreateUser()
        {
-            ViewData["AllowRequestApproval"] = _policiesSettings.RequiresUserApproval;
            ViewData["AllowRequestEmailConfirmation"] = _policiesSettings.RequiresConfirmedEmail;
            return View();
        }
@@ -157,13 +157,11 @@ namespace BTCPayServer.Controllers
        [HttpPost("server/users/new")]
        public async Task<IActionResult> CreateUser(RegisterFromAdminViewModel model)
        {
-            ViewData["AllowRequestApproval"] = _policiesSettings.RequiresUserApproval;
            ViewData["AllowRequestEmailConfirmation"] = _policiesSettings.RequiresConfirmedEmail;
            if (!_Options.CheatMode)
                model.IsAdmin = false;
            if (ModelState.IsValid)
            {
-                IdentityResult result;
                var user = new ApplicationUser
                {
                    UserName = model.Email,
@@ -171,18 +169,13 @@ namespace BTCPayServer.Controllers
                    EmailConfirmed = model.EmailConfirmed,
                    RequiresEmailConfirmation = _policiesSettings.RequiresConfirmedEmail,
                    RequiresApproval = _policiesSettings.RequiresUserApproval,
-                    Approved = model.Approved,
+                    Approved = true, // auto-approve users created by an admin
                    Created = DateTimeOffset.UtcNow
                };

-                if (!string.IsNullOrEmpty(model.Password))
-                {
-                    result = await _UserManager.CreateAsync(user, model.Password);
-                }
-                else
-                {
-                    result = await _UserManager.CreateAsync(user);
-                }
+                var result = string.IsNullOrEmpty(model.Password)
+                    ? await _UserManager.CreateAsync(user)
+                    : await _UserManager.CreateAsync(user, model.Password);

                if (result.Succeeded)
                {
@@ -190,37 +183,30 @@ namespace BTCPayServer.Controllers
                        model.IsAdmin = false;

                    var tcs = new TaskCompletionSource<Uri>();
+                    var currentUser = await _UserManager.GetUserAsync(HttpContext.User);

-                    _eventAggregator.Publish(new UserRegisteredEvent()
+                    _eventAggregator.Publish(new UserRegisteredEvent
                    {
+                        Kind = UserRegisteredEventKind.Invite,
                        RequestUri = Request.GetAbsoluteRootUri(),
                        User = user,
-                        Admin = model.IsAdmin is true,
+                        InvitedByUser = currentUser,
+                        Admin = model.IsAdmin,
                        CallbackUrlGenerated = tcs
                    });
+                    
                    var callbackUrl = await tcs.Task;
-
-                    if (user.RequiresEmailConfirmation && !user.EmailConfirmed)
+                    var settings = await _SettingsRepository.GetSettingAsync<EmailSettings>() ?? new EmailSettings();
+                    var info = settings.IsComplete()
+                        ? "An invitation email has been sent.<br/>You may alternatively"
+                        : "An invitation email has not been sent, because the server does not have an email server configured.<br/> You need to";
+                    
+                    TempData.SetStatusMessageModel(new StatusMessageModel
                    {
-
-                        TempData.SetStatusMessageModel(new StatusMessageModel()
-                        {
-                            Severity = StatusMessageModel.StatusSeverity.Success,
-                            AllowDismiss = false,
-                            Html =
-                                $"Account created without a set password. An email will be sent (if configured) to set the password.<br/> You may alternatively share this link with them: <a class='alert-link' href='{callbackUrl}'>{callbackUrl}</a>"
-                        });
-                    }
-                    else if (!await _UserManager.HasPasswordAsync(user))
-                    {
-                        TempData.SetStatusMessageModel(new StatusMessageModel()
-                        {
-                            Severity = StatusMessageModel.StatusSeverity.Success,
-                            AllowDismiss = false,
-                            Html =
-                                $"Account created without a set password. An email will be sent (if configured) to set the password.<br/> You may alternatively share this link with them: <a class='alert-link' href='{callbackUrl}'>{callbackUrl}</a>"
-                        });
-                    }
+                        Severity = StatusMessageModel.StatusSeverity.Success,
+                        AllowDismiss = false,
+                        Html = $"Account successfully created. {info} share this link with them: <a class='alert-link' href='{callbackUrl}'>{callbackUrl}</a>"
+                    });
                    return RedirectToAction(nameof(ListUsers));
                }

@@ -377,8 +363,5 @@ namespace BTCPayServer.Controllers

        [Display(Name = "Email confirmed?")]
        public bool EmailConfirmed { get; set; }
-
-        [Display(Name = "User approved?")]
-        public bool Approved { get; set; }
    }
 }