From 0220b5398eb13acbdc8ca59b788f52a5fe5e3189 Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Tue, 23 Apr 2019 10:49:04 +0200 Subject: [PATCH 1/3] attributes_ng: limit roles depending on authentication level This has the effect of seeing only roles currently available to the user when getting user SAML attributes, and setting service role attributes accordingly. --- src/authentic2/attributes_ng/sources/django_user.py | 3 ++- src/authentic2/attributes_ng/sources/service_roles.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/authentic2/attributes_ng/sources/django_user.py b/src/authentic2/attributes_ng/sources/django_user.py index 07392d21..af8a9f59 100644 --- a/src/authentic2/attributes_ng/sources/django_user.py +++ b/src/authentic2/attributes_ng/sources/django_user.py @@ -99,7 +99,8 @@ def get_attributes(instance, ctx): ctx['django_user_identifier'] = splitted[0] ctx['django_user_full_name'] = user.get_full_name() Role = get_role_model() - roles = Role.objects.for_user(user) + user_auth_level = ctx['request'].session.get('auth_level', 1) + roles = Role.objects.for_user(user, max_auth_level=user_auth_level) ctx['a2_role_slugs'] = roles.values_list('slug', flat=True) ctx['a2_role_names'] = roles.values_list('name', flat=True) ctx['a2_role_uuids'] = roles.values_list('uuid', flat=True) diff --git a/src/authentic2/attributes_ng/sources/service_roles.py b/src/authentic2/attributes_ng/sources/service_roles.py index cc5ef5d1..3c8d7203 100644 --- a/src/authentic2/attributes_ng/sources/service_roles.py +++ b/src/authentic2/attributes_ng/sources/service_roles.py @@ -54,7 +54,8 @@ def get_attributes(instance, ctx): if not user or not service: return ctx ctx = ctx.copy() - roles = Role.objects.for_user(user) \ + user_auth_level = ctx['request'].session.get('auth_level', 1) + roles = Role.objects.for_user(user, max_auth_level=user_auth_level) \ .filter(service=service) \ .prefetch_related('attributes') for service_role in roles: -- 2.20.1