Allow to forbid login for a specific user

[marien-probesys]

Problem

Some users shouldn't be able to login to Bileto. This can be because the users are deactivated, or because we want to hide Bileto to them.

Solution

Add an option in the user form to disable the login.

Specifications

The "prevent login" checkbox

Add a "DATETIMETZ_IMMUTABLE" attribute to the User entity named loginDisabledAt, set to null by default.

Add an unmapped checkbox "Prevent the user from logging in" to the App\Form\UserForm. If checked, it sets the value of loginDisabledAt to now.

When loginDisabledAt is set, it should also change the user password. This should allow to logout the corresponding user as explained in https://symfony.com/doc/current/security.html#understanding-how-users-are-refreshed-from-the-session

If the user cannot login, display the information in the user page (e.g. "Login disabled").

Disable login

In App\Security\FormLoginAuthenticator::authenticate, load the user right after getting the $userLoader. Check if the user can login, and raise an error CustomUserMessageAuthenticationException otherwise.

Disable reset password

A disabled user shouldn't be able to reset its password.

In App\Form\Password\ResetForm, fail if the user is disabled.

In App\Controller\PasswordsController::edit, fail if user is disabled.

Change email notifications

The email notifications invite the user to login to Bileto. If the user cannot login, we must remove these mentions from the email.

As the emails are actually sent to all the ticket's actors at once, we must change this behaviour in order to send individual emails.

Estimated time

1 - 2 days