Virtual Y + Y-USA Auth: Staff roles with emails in NWM gain access without password on normal landing page login

[TomScarboroughYMCA]

Repro Steps

Using the production North Penn Virtual Y site, which authorizes members using Y-USA Authentication:

• Locate a staff member (Site Owner and/or Virtual YMCA Editor roles) with an email address registered within Nationwide Membership. Example: [email protected]
• Attempt a login with this email address on the Virtual Y Login landing page.
• That user will be authorized and signed-in as a normal Virtual YMCA member
• If the staff had Virtual YMCA Editor role prior to this login, the member will get automatically changed to having just the Virtual YMCA role.
• If the staff user had the Site Owner role prior to this login, the user will retain that role with all the associated admin privileges without having to provide a password.

Expected Behavior

Despite the email address for this user being in Nationwide Membership, a check needs to be made in the Virtual Y backend that checks for Admin-level roles assigned prior to signing that user in without having provided a password. They must login at the https://{sitename.y.org}/user/login page.

Actual Behavior

Admin-level users are able to gain access to the Virtual Y site without having to provide a password, if the email used is registered within Nationwide Membership.

Acceptance Criteria

Virtual Y users with either Site Owner or Virtual YMCA Editor roles should only be allowed to gain access to the Virtual Y site using the login prompt at https://{sitename.y.org}/user/login, even if the email address for the user is registered within Nationwide Membership.

[sarah-halby]

@anpolimus can you take a look at the PR please so we can discuss on 6/15? @gianni-imagex can you please add this to our agenda for tomorrow and ensure there is a Jira ticket for this issue?

[gianni-imagex]

Jira ticket for this issue: https://openy.atlassian.net/browse/PRODDEV-368 @sarah-halby @anpolimus