authentic: allow provisionning some technical roles (#36398)
This commit is contained in:
parent
de7639376b
commit
848ce782ef
|
@ -85,6 +85,8 @@ class Provisionning(threading.local):
|
|||
instance.ou = ous[instance.ou_id]
|
||||
|
||||
def notify_users(self, ous, users, mode='provision'):
|
||||
allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or []
|
||||
|
||||
if mode == 'provision':
|
||||
users = (User.objects.filter(id__in=[u.id for u in users])
|
||||
.select_related('ou').prefetch_related('attribute_values__attribute'))
|
||||
|
@ -95,6 +97,9 @@ class Provisionning(threading.local):
|
|||
for user in users:
|
||||
ous.setdefault(user.ou, set()).add(user)
|
||||
|
||||
def is_forbidden_technical_role(role):
|
||||
return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes))
|
||||
|
||||
issuer = unicode(self.get_entity_id())
|
||||
if mode == 'provision':
|
||||
|
||||
|
@ -103,7 +108,7 @@ class Provisionning(threading.local):
|
|||
data = {}
|
||||
# filter user's roles visible by the service's ou
|
||||
roles = [role for role in user_roles.get(user.id, [])
|
||||
if (not role.slug.startswith('_')
|
||||
if (not is_forbidden_technical_role(role)
|
||||
and (role.ou_id is None or (ou and role.ou_id == ou.id)))]
|
||||
data.update({
|
||||
'uuid': user.uuid,
|
||||
|
|
Loading…
Reference in New Issue