views: use LDAPBackendPasswordLost to switch to LDAP account (#43585)

2021-04-01 17:36:54 +02:00 · 2021-04-01 17:36:54 +02:00 · c70f205987
parent aa0e769602
commit c70f205987
2 changed files with 26 additions and 1 deletions
--- a/src/authentic2/views.py
+++ b/src/authentic2/views.py
@ -1362,6 +1362,9 @@ class SuView(View):
        user = switch_user.resolve_token(uuid)
        if not user:
            raise Http404
+        # LDAP ad-hoc behaviour
+        if user.userexternalid_set.exists():
+            user = utils.authenticate(request, user=user)
        return utils.simulate_authentication(request, user, 'su')


--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@ -36,7 +36,7 @@ from authentic2.a2_rbac.models import Role
 from authentic2.a2_rbac.utils import get_default_ou
 from authentic2.backends import ldap_backend
 from authentic2.models import Service
-from authentic2.utils import authenticate
+from authentic2.utils import authenticate, switch_user
 from django_rbac.utils import get_ou_model

 from . import utils
@ -1653,3 +1653,25 @@ def test_config_to_lowercase():
            }
        ],
    }
+
+
+def test_switch_user_ldap_user(slapd, settings, app, db):
+    settings.LDAP_AUTH_SETTINGS = [
+        {
+            'url': [slapd.ldap_url],
+            'binddn': force_text(slapd.root_bind_dn),
+            'bindpw': force_text(slapd.root_bind_password),
+            'basedn': u'o=ôrga',
+            'use_tls': False,
+            'attributes': ['carLicense'],
+        }
+    ]
+    # get all users
+    management.call_command('sync-ldap-users', verbosity=2)
+
+    user = User.objects.get(username=USERNAME + '@ldap')
+    url = switch_user.build_url(user)
+    response = app.get(url).follow()
+    assert app.session['_auth_user_backend'] == 'authentic2.backends.ldap_backend.LDAPBackendPasswordLost'
+    template_user = response.context['user']
+    assert 'carlicense' in template_user.get_attributes(object(), {})