From 83ee68e26a9e251ae4217c0a5be3331f3e9c7ed4 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 6 Aug 2019 11:26:28 +0200 Subject: [PATCH] provisioning: only send user's roles visible by the service (#35168) --- hobo/agent/authentic2/provisionning.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/hobo/agent/authentic2/provisionning.py b/hobo/agent/authentic2/provisionning.py index 4442ed7..c3dafb2 100644 --- a/hobo/agent/authentic2/provisionning.py +++ b/hobo/agent/authentic2/provisionning.py @@ -98,10 +98,13 @@ class Provisionning(threading.local): issuer = unicode(self.get_entity_id()) if mode == 'provision': - def user_to_json(service, user, user_roles): + def user_to_json(ou, service, user, user_roles): from authentic2.api_views import BaseUserSerializer data = {} - roles = user.roles_and_parents().prefetch_related('attributes') + # filter user's roles visible by the service's ou + roles = [role for role in user_roles.get(user.id, []) + if (not role.slug.startswith('_') + and (role.ou_id is None or role.ou_id == ou.id))] data.update({ 'uuid': user.uuid, 'username': user.username, @@ -166,7 +169,7 @@ class Provisionning(threading.local): 'full': False, 'objects': { '@type': 'user', - 'data': [user_to_json(service, user, user_roles)], + 'data': [user_to_json(ou, service, user, user_roles)], } }) else: @@ -183,7 +186,7 @@ class Provisionning(threading.local): 'full': False, 'objects': { '@type': 'user', - 'data': [user_to_json(None, user, user_roles) for user in users], + 'data': [user_to_json(ou, None, user, user_roles) for user in users], } }) elif users: -- 2.22.0