From c2cd6c5e9f1b5f8217569fbfdf890c5a300bd910 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 6 Aug 2019 11:26:28 +0200
Subject: [PATCH] provisioning: only send user's roles visible by the service
 (#35168)

---
 hobo/agent/authentic2/provisionning.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/hobo/agent/authentic2/provisionning.py b/hobo/agent/authentic2/provisionning.py
index 4442ed7..8e0c244 100644
--- a/hobo/agent/authentic2/provisionning.py
+++ b/hobo/agent/authentic2/provisionning.py
@@ -98,10 +98,9 @@ class Provisionning(threading.local):
         issuer = unicode(self.get_entity_id())
         if mode == 'provision':
 
-            def user_to_json(service, user, user_roles):
+            def user_to_json(ou, service, user, user_roles):
                 from authentic2.api_views import BaseUserSerializer
                 data = {}
-                roles = user.roles_and_parents().prefetch_related('attributes')
                 data.update({
                     'uuid': user.uuid,
                     'username': user.username,
@@ -113,7 +112,7 @@ class Provisionning(threading.local):
                             'uuid': role.uuid,
                             'name': role.name,
                             'slug': role.slug,
-                        } for role in roles],
+                        } for role in user_roles.get(user.id, []) if role.ou_id is None or role.ou_id == ou.id],
                 })
                 data.update(BaseUserSerializer(user).data)
                 # check if user is superuser through a role
@@ -166,7 +165,7 @@ class Provisionning(threading.local):
                                 'full': False,
                                 'objects': {
                                     '@type': 'user',
-                                    'data': [user_to_json(service, user, user_roles)],
+                                    'data': [user_to_json(ou, service, user, user_roles)],
                                 }
                             })
             else:
@@ -183,7 +182,7 @@ class Provisionning(threading.local):
                         'full': False,
                         'objects': {
                             '@type': 'user',
-                            'data': [user_to_json(None, user, user_roles) for user in users],
+                            'data': [user_to_json(ou, None, user, user_roles) for user in users],
                         }
                     })
         elif users:
-- 
2.22.0