Add a 'compat login policy violation' page

2026-03-29 08:50:10 +00:00 · 2025-11-25 18:20:14 +00:00
parent f670577feb
commit 86d71de995
4 changed files with 89 additions and 13 deletions
--- a/crates/templates/src/context.rs
+++ b/crates/templates/src/context.rs
@@ -860,6 +860,44 @@ impl PolicyViolationContext {
    }
 }

+/// Context used by the `compat_login_policy_violation.html` template
+#[derive(Serialize)]
+pub struct CompatLoginPolicyViolationContext {
+    violation_codes: Vec<&'static str>,
+}
+
+impl TemplateContext for CompatLoginPolicyViolationContext {
+    fn sample<R: Rng>(
+        _now: chrono::DateTime<Utc>,
+        _rng: &mut R,
+        _locales: &[DataLocale],
+    ) -> BTreeMap<SampleIdentifier, Self>
+    where
+        Self: Sized,
+    {
+        sample_list(vec![
+            CompatLoginPolicyViolationContext {
+                violation_codes: vec![],
+            },
+            CompatLoginPolicyViolationContext {
+                violation_codes: vec!["too-many-sessions"],
+            },
+        ])
+    }
+}
+
+impl CompatLoginPolicyViolationContext {
+    /// Constructs a context for the compatibility login policy violation page
+    /// given the list of violations' codes.
+    ///
+    /// TODO maybe this is not very nice, not sure what the API boundary should
+    /// be
+    #[must_use]
+    pub const fn for_violations(violation_codes: Vec<&'static str>) -> Self {
+        Self { violation_codes }
+    }
+}
+
 /// Context used by the `sso.html` template
 #[derive(Serialize)]
 pub struct CompatSsoContext {
--- a/crates/templates/src/lib.rs
+++ b/crates/templates/src/lib.rs
@@ -37,14 +37,15 @@ mod macros;

 pub use self::{
    context::{
-        AccountInactiveContext, ApiDocContext, AppContext, CompatSsoContext, ConsentContext,
-        DeviceConsentContext, DeviceLinkContext, DeviceLinkFormField, DeviceNameContext,
-        EmailRecoveryContext, EmailVerificationContext, EmptyContext, ErrorContext,
-        FormPostContext, IndexContext, LoginContext, LoginFormField, NotFoundContext,
-        PasswordRegisterContext, PolicyViolationContext, PostAuthContext, PostAuthContextInner,
-        RecoveryExpiredContext, RecoveryFinishContext, RecoveryFinishFormField,
-        RecoveryProgressContext, RecoveryStartContext, RecoveryStartFormField, RegisterContext,
-        RegisterFormField, RegisterStepsDisplayNameContext, RegisterStepsDisplayNameFormField,
+        AccountInactiveContext, ApiDocContext, AppContext, CompatLoginPolicyViolationContext,
+        CompatSsoContext, ConsentContext, DeviceConsentContext, DeviceLinkContext,
+        DeviceLinkFormField, DeviceNameContext, EmailRecoveryContext, EmailVerificationContext,
+        EmptyContext, ErrorContext, FormPostContext, IndexContext, LoginContext, LoginFormField,
+        NotFoundContext, PasswordRegisterContext, PolicyViolationContext, PostAuthContext,
+        PostAuthContextInner, RecoveryExpiredContext, RecoveryFinishContext,
+        RecoveryFinishFormField, RecoveryProgressContext, RecoveryStartContext,
+        RecoveryStartFormField, RegisterContext, RegisterFormField,
+        RegisterStepsDisplayNameContext, RegisterStepsDisplayNameFormField,
        RegisterStepsEmailInUseContext, RegisterStepsRegistrationTokenContext,
        RegisterStepsRegistrationTokenFormField, RegisterStepsVerifyEmailContext,
        RegisterStepsVerifyEmailFormField, SiteBranding, SiteConfigExt, SiteFeatures,
@@ -391,6 +392,9 @@ register_templates! {
    /// Render the policy violation page
    pub fn render_policy_violation(WithLanguage<WithCsrf<WithSession<PolicyViolationContext>>>) { "pages/policy_violation.html" }

+    /// Render the compatibility login policy violation page
+    pub fn render_compat_login_policy_violation(WithLanguage<WithCsrf<WithSession<CompatLoginPolicyViolationContext>>>) { "pages/compat_login_policy_violation.html" }
+
    /// Render the legacy SSO login consent page
    pub fn render_sso_login(WithLanguage<WithCsrf<WithSession<CompatSsoContext>>>) { "pages/sso.html" }

--- a/templates/pages/compat_login_policy_violation.html
+++ b/templates/pages/compat_login_policy_violation.html
@@ -0,0 +1,34 @@
+{#
+Copyright 2024, 2025 New Vector Ltd.
+Copyright 2022-2024 The Matrix.org Foundation C.I.C.
+
+SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+-#}
+
+{% extends "base.html" %}
+
+{% block content %}
+  <header class="page-heading">
+    <div class="icon invalid">
+      {{ icon.error_solid() }}
+    </div>
+
+    <div class="header">
+      <h1 class="title">{{ _("mas.policy_violation.heading") }}</h1>
+      <p class="text">{{ _("mas.policy_violation.description") }}</p>
+    </div>
+  </header>
+
+  <main class="flex flex-col gap-10">
+    <div class="flex gap-1 justify-center items-center">
+      <p class="cpd-text-secondary cpd-text-body-md-regular">
+        {{ _("mas.policy_violation.logged_as", username=current_session.user.username) }}
+      </p>
+
+      {{ logout.button(text=_("action.sign_out"), csrf_token=csrf_token, post_logout_action=action, as_link=True) }}
+    </div>
+
+    <a class="cpd-button destructive" data-kind="primary" data-size="lg" href="/TODO">{{ _("action.cancel") }}</a>
+  </main>
+{% endblock content %}
--- a/translations/en.json
+++ b/translations/en.json
@@ -6,7 +6,7 @@
    },
    "cancel": "Cancel",
    "@cancel": {
-      "context": "pages/consent.html:69:11-29, pages/device_consent.html:127:13-31, pages/policy_violation.html:44:13-31"
+      "context": "pages/compat_login_policy_violation.html:32:89-107, pages/consent.html:69:11-29, pages/device_consent.html:127:13-31, pages/policy_violation.html:44:13-31"
    },
    "continue": "Continue",
    "@continue": {
@@ -22,7 +22,7 @@
    },
    "sign_out": "Sign out",
    "@sign_out": {
-      "context": "pages/account/logged_out.html:22:28-48, pages/consent.html:65:28-48, pages/device_consent.html:136:30-50, pages/index.html:28:28-48, pages/policy_violation.html:38:28-48, pages/sso.html:45:28-48, pages/upstream_oauth2/link_mismatch.html:24:24-44, pages/upstream_oauth2/suggest_link.html:32:26-46"
+      "context": "pages/account/logged_out.html:22:28-48, pages/compat_login_policy_violation.html:29:28-48, pages/consent.html:65:28-48, pages/device_consent.html:136:30-50, pages/index.html:28:28-48, pages/policy_violation.html:38:28-48, pages/sso.html:45:28-48, pages/upstream_oauth2/link_mismatch.html:24:24-44, pages/upstream_oauth2/suggest_link.html:32:26-46"
    },
    "skip": "Skip",
    "@skip": {
@@ -496,17 +496,17 @@
    "policy_violation": {
      "description": "This might be because of the client which authored the request, the currently logged in user, or the request itself.",
      "@description": {
-        "context": "pages/policy_violation.html:19:25-62",
+        "context": "pages/compat_login_policy_violation.html:19:25-62, pages/policy_violation.html:19:25-62",
        "description": "Displayed when an authorization request is denied by the policy"
      },
      "heading": "The authorization request was denied by the policy enforced by this service",
      "@heading": {
-        "context": "pages/policy_violation.html:18:27-60",
+        "context": "pages/compat_login_policy_violation.html:18:27-60, pages/policy_violation.html:18:27-60",
        "description": "Displayed when an authorization request is denied by the policy"
      },
      "logged_as": "Logged as <span class=\"font-semibold\">%(username)s</span>",
      "@logged_as": {
-        "context": "pages/policy_violation.html:35:11-86"
+        "context": "pages/compat_login_policy_violation.html:26:11-86, pages/policy_violation.html:35:11-86"
      }
    },
    "recovery": {