0001-authentic-allow-provisionning-some-technical-roles-3.patch
hobo/agent/authentic2/provisionning.py | ||
---|---|---|
85 | 85 |
instance.ou = ous[instance.ou_id] |
86 | 86 | |
87 | 87 |
def notify_users(self, ous, users, mode='provision'): |
88 |
allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or [] |
|
89 | ||
88 | 90 |
if mode == 'provision': |
89 | 91 |
users = (User.objects.filter(id__in=[u.id for u in users]) |
90 | 92 |
.select_related('ou').prefetch_related('attribute_values__attribute')) |
... | ... | |
95 | 97 |
for user in users: |
96 | 98 |
ous.setdefault(user.ou, set()).add(user) |
97 | 99 | |
100 |
def is_forbidden_technical_role(role): |
|
101 |
return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes)) |
|
102 | ||
98 | 103 |
issuer = unicode(self.get_entity_id()) |
99 | 104 |
if mode == 'provision': |
100 | 105 | |
... | ... | |
103 | 108 |
data = {} |
104 | 109 |
# filter user's roles visible by the service's ou |
105 | 110 |
roles = [role for role in user_roles.get(user.id, []) |
106 |
if (not role.slug.startswith('_')
|
|
111 |
if (not is_forbidden_technical_role(role)
|
|
107 | 112 |
and (role.ou_id is None or (ou and role.ou_id == ou.id)))] |
108 | 113 |
data.update({ |
109 | 114 |
'uuid': user.uuid, |
110 |
- |