frontend page for creating a new realm

[varCepheid]

closes #1510

[varCepheid]

@calebeby At line 37 in new-realm, the server gets a request to POST a new realm, even if that realm is already in the database. Is there a check that should happen in the frontend code to make sure that doesn't happen, or will the backend take care of it?

[calebeby]

@varCepheid The checks are passing on the dev branch, and if this branch is up to date with that branch, then the checks should be passing here too. I think at least some of the changes in this PR aren't needed to make checks pass.

[calebeby]

@varCepheid I have a question about how this flow works for users. If a team was to create a new realm, now that realm has no users. So in order for them to start making approved users for their realm, they'd need to make an unverified user in that realm, and still go through the manual process of contacting pigmice and getting their account verified and set to admin. Then they could go and make other users.

Is it intended to still have that manual step there or were you envisioning something different?

[calebeby]

@varCepheid it looks like newly-created realms have shareReports set to false, while all the previous realms have it set to true. Is that intentional?

[varCepheid]

The shareReports bit was unintentional and I fixed it. My solution to the no-admins problem was to make the new-realm form have all the same fields as the signup form, so it creates the first account in the same action in the new realm and sets it to be an admin.

[varCepheid]

I realized that making a user automatically an admin A. is a bad idea and B. gives us no oversight of new realms. I think we should just indicate that a new user in a new realm needs to join the Slack to become an admin.

[calebeby]

@varCepheid Good point. However, if the backend already allows it, then people still could technically do it themselves (not a big fan of "security by obscurity"). Maybe we should make the backend have a constraint on creating new admin users/realms.

[varCepheid]

There actually is already a backend constraint, which meant the user creation request wasn't going through, because a non-admin user (in this case not even logged in) can't create users. I think the ideal way to do this is to create only the realm and then force the would-be admin to communicate with us about creating their user. The alternative is to create a dummy super-admin and log in as that user for only the time it takes to create the new user.

[varCepheid]

After talking with Elijah, I realized that of course a non-user can create a user because the signup page does it. The actual problem was in the return type of the createRealm method, but that's largely unimportant. Currently, the new-realm form creates the realm with an unverified user in it and directs the user to email me and get connected to the Slack. From there, we can verify them and make them an admin. I think this system puts the least burden on us but still allows us oversight of who is running realms.