From 73e6baae5171562af62927077425d05fa0e6aaab Mon Sep 17 00:00:00 2001
From: Antti Hukkanen <antti.hukkanen@mainiotech.fi>
Date: Tue, 5 Nov 2024 16:17:18 +0200
Subject: [PATCH] Add fix for admin users with a pending password change

Issue fixed with later versions of Decidim but applying the fix
to the module 0.27 version for now as well, see:
https://github.com/decidim/decidim/pull/13354
---
 .../omniauth_callbacks_controller.rb                | 13 +++++++++++++
 .../omniauth_callbacks_controller_spec.rb           | 12 ++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/app/controllers/decidim/helsinki_profile/omniauth_callbacks_controller.rb b/app/controllers/decidim/helsinki_profile/omniauth_callbacks_controller.rb
index 6c87114..38bf5be 100644
--- a/app/controllers/decidim/helsinki_profile/omniauth_callbacks_controller.rb
+++ b/app/controllers/decidim/helsinki_profile/omniauth_callbacks_controller.rb
@@ -91,6 +91,19 @@ def first_login_and_not_authorized?(_user)
 
       private
 
+      # Fixes an issue with the login if the user has a pending change password.
+      #
+      # For further details, see:
+      # https://github.com/decidim/decidim/pull/13354
+      #
+      # This can be removed after the above mentioned PR is merged to the core
+      # and the fix is shipped in a release.
+      #
+      # Issue has been fixed in versions 0.27.6 and 0.28.1.
+      def change_password_path
+        decidim.change_password_path
+      end
+
       def authorize_user(user)
         authenticator.authorize_user!(user)
       rescue Decidim::HelsinkiProfile::Authentication::AuthorizationBoundToOtherUserError
diff --git a/spec/controllers/decidim/helsinki_profile/omniauth_callbacks_controller_spec.rb b/spec/controllers/decidim/helsinki_profile/omniauth_callbacks_controller_spec.rb
index 4c2dfa7..9f78ea3 100644
--- a/spec/controllers/decidim/helsinki_profile/omniauth_callbacks_controller_spec.rb
+++ b/spec/controllers/decidim/helsinki_profile/omniauth_callbacks_controller_spec.rb
@@ -135,6 +135,18 @@
           expect(user.email).to eq(email)
           expect(user.unconfirmed_email).to be_nil
         end
+
+        context "when the user is an admin with a pending password change request" do
+          let!(:user) { create(:user, :admin, organization: organization, email: email, sign_in_count: 1, password_updated_at: 1.year.ago) }
+
+          it "redirects to the password change path" do
+            get(
+              "/users/auth/helsinki/callback?code=#{code}&state=#{omniauth_state}"
+            )
+
+            expect(response).to redirect_to("/change_password")
+          end
+        end
       end
 
       context "when email is unverified according to the authenticator" do