From 3233a137b506ab5d619385fe6d6c14965f2fc60a Mon Sep 17 00:00:00 2001
From: Paul Marillonnet <pmarillonnet@entrouvert.com>
Date: Wed, 6 Dec 2017 10:24:25 +0100
Subject: [PATCH] ldap_backend: remove imprecise role creation capability
 (#20454)

---
 src/authentic2/backends/ldap_backend.py | 18 +++++-------------
 tests/test_ldap.py                      | 22 ----------------------
 2 files changed, 5 insertions(+), 35 deletions(-)

diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py
index ba43f64d..96f8e625 100644
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@@ -249,8 +249,6 @@ class LDAPBackend(object):
         'is_staff': None,
         # create missing group if needed
         'create_group': False,
-        # create missing role if needed
-        'create_role': False,
         # attributes to retrieve and store with the user object
         'attributes': ['uid'],
         # default value for some attributes
@@ -587,18 +585,12 @@ class LDAPBackend(object):
             except Group.DoesNotExist:
                 return None
 
-    def get_role_by_name(self, block, role_name, create=None):
+    def get_role_by_name(self, block, role_name):
         '''Obtain a Django role'''
-        if create is None:
-            create = block['create_role']
-        if create:
-            role, created = Role.objects.get_or_create(name=role_name)
-            return role
-        else:
-            try:
-                return Role.objects.get(name=role_name)
-            except Role.DoesNotExist:
-                return None
+        try:
+            return Role.objects.get(name=role_name)
+        except Role.DoesNotExist:
+            return None
 
     def populate_mandatory_groups(self, user, block):
         mandatory_groups = block.get('set_mandatory_groups')
diff --git a/tests/test_ldap.py b/tests/test_ldap.py
index 1ab923bf..62d76833 100644
--- a/tests/test_ldap.py
+++ b/tests/test_ldap.py
@@ -359,26 +359,6 @@ def test_get_users(slapd, settings):
 
 
 @pytest.mark.django_db
-def test_create_mandatory_roles(slapd, settings):
-    User = get_user_model()
-    settings.LDAP_AUTH_SETTINGS = [{
-        'url': [slapd.ldap_url],
-        'basedn': 'o=orga',
-        'use_tls': False,
-        'create_group': True,
-        'group_mapping': [
-            ('cn=group2,o=orga', ['Group2']),
-        ],
-        'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
-        'set_mandatory_roles': ['tech', 'admin'],
-        'create_role': True,
-    }]
-
-    users = list(ldap_backend.LDAPBackend.get_users())
-    assert User.objects.first().roles.count() == 2
-
-
-@pytest.mark.django_db
 def test_nocreate_mandatory_roles(slapd, settings):
     User = get_user_model()
     settings.LDAP_AUTH_SETTINGS = [{
@@ -391,7 +371,6 @@ def test_nocreate_mandatory_roles(slapd, settings):
         ],
         'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
         'set_mandatory_roles': ['tech', 'admin'],
-        'create_role': False,
     }]
 
     list(ldap_backend.LDAPBackend.get_users())
@@ -424,7 +403,6 @@ def test_no_connect_with_user_credentials(slapd_strict_acl, db, settings, app):
         ],
         'group_filter': '(&(memberUid={uid})(objectClass=posixGroup))',
         'set_mandatory_roles': ['tech', 'admin'],
-        'create_role': False,
     }]
     response = app.get('/login/')
     response.form.set('username', USERNAME)
-- 
2.11.0