backoffice: close backoffice if an IdP is defined (#10440)

2018-12-31 11:27:46 +01:00 · 2018-12-31 11:27:46 +01:00 · 43d0336bb4
parent 8fd46311a5
commit 43d0336bb4
2 changed files with 14 additions and 2 deletions
--- a/tests/test_admin_pages.py
+++ b/tests/test_admin_pages.py
@ -100,6 +100,12 @@ def test_empty_site(pub):
    resp = get_app(pub).get('/backoffice/')
    resp = resp.click('Settings', index=0)

+def test_empty_site_but_idp_settings(pub):
+    pub.cfg['idp'] = {'xxx': {}}
+    pub.write_cfg()
+    resp = get_app(pub).get('/backoffice/')
+    assert resp.location == 'http://example.net/login/?next=http%3A%2F%2Fexample.net%2Fbackoffice%2F'
+
 def test_with_user(pub):
    create_superuser(pub)
    resp = get_app(pub).get('/backoffice/', status=302)
@ -3994,10 +4000,12 @@ def test_settings_auth(pub):

@pytest.mark.skipif('lasso is None')
 def test_settings_idp(pub):
-    pub.user_class.wipe() # makes sure there are no users
+    # create admin session
+    create_superuser(pub)
+    app = login(get_app(pub))
+
    pub.cfg['identification'] = {'methods': ['idp']}
    pub.write_cfg()
-    app = get_app(pub)
    app.get('/saml/metadata', status=404)
    resp = app.get('/backoffice/settings/')
    resp = resp.click(href='identification/idp/')
--- a/wcs/backoffice/root.py
+++ b/wcs/backoffice/root.py
@ -139,6 +139,10 @@ class RootDirectory(BackofficeRootDirectory):
                                       'Please login.'))
            if not user.can_go_in_backoffice():
                raise errors.AccessForbiddenError()
+        else:
+            # empty site
+            if get_cfg('idp'):  # but already configured for IdP
+                raise errors.AccessUnauthorizedError()

        get_response().filter['in_backoffice'] = True