authentic: allow provisionning some technical roles (#36398)

2019-09-24 11:41:51 +02:00 · 2019-09-24 11:41:51 +02:00 · 848ce782ef
parent de7639376b
commit 848ce782ef
1 changed files with 6 additions and 1 deletions
--- a/hobo/agent/authentic2/provisionning.py
+++ b/hobo/agent/authentic2/provisionning.py
@ -85,6 +85,8 @@ class Provisionning(threading.local):
                instance.ou = ous[instance.ou_id]

    def notify_users(self, ous, users, mode='provision'):
+        allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or []
+
        if mode == 'provision':
            users = (User.objects.filter(id__in=[u.id for u in users])
                     .select_related('ou').prefetch_related('attribute_values__attribute'))
@ -95,6 +97,9 @@ class Provisionning(threading.local):
        for user in users:
            ous.setdefault(user.ou, set()).add(user)

+        def is_forbidden_technical_role(role):
+            return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes))
+
        issuer = unicode(self.get_entity_id())
        if mode == 'provision':

@ -103,7 +108,7 @@ class Provisionning(threading.local):
                data = {}
                # filter user's roles visible by the service's ou
                roles = [role for role in user_roles.get(user.id, [])
-                         if (not role.slug.startswith('_')
+                         if (not is_forbidden_technical_role(role)
                             and (role.ou_id is None or (ou and role.ou_id == ou.id)))]
                data.update({
                    'uuid': user.uuid,