provisioning: only send user's roles visible by the service (#35168)
This commit is contained in:
parent
83b285a467
commit
83ee68e26a
|
@ -98,10 +98,13 @@ class Provisionning(threading.local):
|
|||
issuer = unicode(self.get_entity_id())
|
||||
if mode == 'provision':
|
||||
|
||||
def user_to_json(service, user, user_roles):
|
||||
def user_to_json(ou, service, user, user_roles):
|
||||
from authentic2.api_views import BaseUserSerializer
|
||||
data = {}
|
||||
roles = user.roles_and_parents().prefetch_related('attributes')
|
||||
# filter user's roles visible by the service's ou
|
||||
roles = [role for role in user_roles.get(user.id, [])
|
||||
if (not role.slug.startswith('_')
|
||||
and (role.ou_id is None or role.ou_id == ou.id))]
|
||||
data.update({
|
||||
'uuid': user.uuid,
|
||||
'username': user.username,
|
||||
|
@ -166,7 +169,7 @@ class Provisionning(threading.local):
|
|||
'full': False,
|
||||
'objects': {
|
||||
'@type': 'user',
|
||||
'data': [user_to_json(service, user, user_roles)],
|
||||
'data': [user_to_json(ou, service, user, user_roles)],
|
||||
}
|
||||
})
|
||||
else:
|
||||
|
@ -183,7 +186,7 @@ class Provisionning(threading.local):
|
|||
'full': False,
|
||||
'objects': {
|
||||
'@type': 'user',
|
||||
'data': [user_to_json(None, user, user_roles) for user in users],
|
||||
'data': [user_to_json(ou, None, user, user_roles) for user in users],
|
||||
}
|
||||
})
|
||||
elif users:
|
||||
|
|
Loading…
Reference in New Issue