From aff971909221f8c9c1bbbc479f52fa7c9db2a4de Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Tue, 19 May 2015 15:30:54 +0200
Subject: [PATCH] saml2: set user roles from the SAML attribute "role-slug"
 (#7281)

---
 wcs/qommon/saml2.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/wcs/qommon/saml2.py b/wcs/qommon/saml2.py
index 35534dc..b014fa6 100644
--- a/wcs/qommon/saml2.py
+++ b/wcs/qommon/saml2.py
@@ -35,6 +35,7 @@ import misc
 from publisher import get_cfg, get_logger
 from qommon import template
 from template import error_page
+from wcs.roles import Role
 
 import errors
 
@@ -462,6 +463,24 @@ class Saml2Directory(Directory):
                 user.form_data[field_id] = d[key]
                 logger.info('setting field %s of user %s to value %r', field_id, user.id, d[key])
                 save = True
+
+        # update user roles from role-slug or wipe them if
+        # idp-manage-user-attributes is True
+        if 'role-slug' in m:
+            role_ids = []
+            roles = []
+            for slug in m['role-slug']:
+                role = Role.get_on_index(slug, 'slug', ignore_errors=True)
+                if not role:
+                    continue
+                role_ids.append(str(role.id))
+                roles.append(role)
+            if set(user.roles) != set(role_ids):
+                user.roles = role_ids
+                role_list = ', '.join(role.name for role in roles)
+                logger.info('enroling user %s in %s', user.id, role_list)
+                save = True
+
         if save:
             user.store()
 
-- 
2.1.4