From 56533803f54ac1672a9509aab0e9edd4bf2b4343 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 6 Aug 2019 11:26:28 +0200
Subject: [PATCH] provisioning: only send user's roles visible by the service
 (#35168)

---
 hobo/agent/authentic2/provisionning.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hobo/agent/authentic2/provisionning.py b/hobo/agent/authentic2/provisionning.py
index 4442ed7..9328cf5 100644
--- a/hobo/agent/authentic2/provisionning.py
+++ b/hobo/agent/authentic2/provisionning.py
@@ -101,7 +101,6 @@ class Provisionning(threading.local):
             def user_to_json(service, user, user_roles):
                 from authentic2.api_views import BaseUserSerializer
                 data = {}
-                roles = user.roles_and_parents().prefetch_related('attributes')
                 data.update({
                     'uuid': user.uuid,
                     'username': user.username,
@@ -113,7 +112,7 @@ class Provisionning(threading.local):
                             'uuid': role.uuid,
                             'name': role.name,
                             'slug': role.slug,
-                        } for role in roles],
+                        } for role in user_roles.get(user.id, []) if role.ou_id is None or role.ou_id == service.ou_id],
                 })
                 data.update(BaseUserSerializer(user).data)
                 # check if user is superuser through a role
-- 
2.22.0