idp_cas: fix retrieval of LDAP user attributes (#86089)

2024-01-24 21:36:13 +01:00 · 2024-01-24 21:36:13 +01:00 · d50622cb81
parent 3ab951f818
commit d50622cb81
1 changed files with 10 additions and 3 deletions
--- a/src/authentic2_idp_cas/views.py
+++ b/src/authentic2_idp_cas/views.py
@ -31,6 +31,7 @@ from authentic2.utils import hooks
 from authentic2.utils.misc import (
    attribute_values_to_identifier,
    find_authentication_event,
+    get_user_from_session_key,
    login_require,
    make_url,
    normalize_attribute_values,
@ -281,15 +282,21 @@ class ValidateBaseView(CasMixin, View):
        '''Retrieve attribute for users of the session linked to the ticket'''
        if not hasattr(st, 'attributes'):
            wanted_attributes = st.service.get_wanted_attributes()
-            st.attributes = get_attributes(
+            # use from session can be an LDAPUser with special attributes
+            user = get_user_from_session_key(st.session_key)
+            if not user.pk:  # anonymous user, fail
+                return None
+            if user.pk != st.user_id:
+                return None  # user has changed, fail
+            attributes = get_attributes(
                {
                    'request': request,
-                    'user': st.user,
+                    'user': user,
                    'service': st.service,
                    '__wanted_attributes': wanted_attributes,
                }
            )
-        return st.attributes
+        return attributes

    def validation_failure(self, request, service, code):
        self.logger.warning('validation failed service: %r code: %s', service, code)