From a254424d51148c3f7c7f488cfb930a082b6df932 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Tue, 24 Sep 2019 11:41:51 +0200 Subject: [PATCH] authentic: allow provisionning some technical roles (#36398) --- hobo/agent/authentic2/provisionning.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hobo/agent/authentic2/provisionning.py b/hobo/agent/authentic2/provisionning.py index bf8297a..502d284 100644 --- a/hobo/agent/authentic2/provisionning.py +++ b/hobo/agent/authentic2/provisionning.py @@ -85,6 +85,8 @@ class Provisionning(threading.local): instance.ou = ous[instance.ou_id] def notify_users(self, ous, users, mode='provision'): + allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or [] + if mode == 'provision': users = (User.objects.filter(id__in=[u.id for u in users]) .select_related('ou').prefetch_related('attribute_values__attribute')) @@ -95,6 +97,9 @@ class Provisionning(threading.local): for user in users: ous.setdefault(user.ou, set()).add(user) + def is_forbidden_technical_role(role): + return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes)) + issuer = unicode(self.get_entity_id()) if mode == 'provision': @@ -103,7 +108,7 @@ class Provisionning(threading.local): data = {} # filter user's roles visible by the service's ou roles = [role for role in user_roles.get(user.id, []) - if (not role.slug.startswith('_') + if (not is_forbidden_technical_role(role) and (role.ou_id is None or (ou and role.ou_id == ou.id)))] data.update({ 'uuid': user.uuid, -- 2.23.0