diff --git a/ssoauth/auth_utils.py b/ssoauth/auth_utils.py index 8a87d061b1252c04469f9d2f0c58fb961f8e3bf9..2ed213ebe6f36593c2bb0512d7388fb257fe0825 100644 --- a/ssoauth/auth_utils.py +++ b/ssoauth/auth_utils.py @@ -83,10 +83,7 @@ def get_or_create_user(uuid, username): if not user: user = create_user(uuid, username) # create if not present # sanity check - if user and user.user_permissions.all().count(): - logger.error("Who assigned permissions directly to user {user}?! Removing: {perms}".format( - user=user, perms=", ".join(str(p) for p in user.user_permissions))) - user.user_permissions.clear() + cleanup_direct_permissions(user) return user @@ -124,6 +121,12 @@ def set_user_groups(user, group_dn_list): user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups), dn_n=len(group_dn_list))) +def cleanup_direct_permissions(user): + if user.user_permissions.exists(): + logger.critical("Who attached permissions directly to {user} ?!?!".format(**locals())) + user.user_permissions.clear() + + def set_user_compat_flags(user): is_active = True user.is_staff = False diff --git a/ssoauth/checks.py b/ssoauth/checks.py index 2b18c7edc82f331112e7f2086e4a4efb81cc2e6a..615b31a692ecb3b6635eeaebad9f74f9775e34b0 100644 --- a/ssoauth/checks.py +++ b/ssoauth/checks.py @@ -49,20 +49,6 @@ def compatible_user_model(app_configs, **kwargs): return errors -@register(Tags.security) -@_ignore_db_errors -def no_direct_user_permissions(app_configs, **kwargs): - errors = list() - qs_bad_users = get_user_model().objects.filter(user_permissions__isnull=False) - if qs_bad_users.count() is not 0: - errors.append(Error( - "Detected directly assigned permissions. Truncate the User<->Permission table. Investigate the reason. " + - "Bad users: {0}".format(", ".join(u.username for u in qs_bad_users)), - obj=get_user_model(), - )) - return errors - - @register(Tags.urls) def auth_urls_configured(app_configs, **kwargs): errors = list() diff --git a/ssoauth/views.py b/ssoauth/views.py index 1ee0733d73aa8f26080f6e2b71f4138f511ab5d7..8ab9f42f63509e267667d37d5b0c90afa8ddee6f 100644 --- a/ssoauth/views.py +++ b/ssoauth/views.py @@ -118,6 +118,7 @@ class ACSAuthNView(SAMLMixin, View): user=user, group_dn_list=get_attr("idm_groups", nullable=True, multivalued=True) or list() ) + auth_utils.cleanup_direct_permissions(user=user) auth_utils.set_user_compat_flags(user=user) request.user = user contrib_auth.login(request, user)