From 546ca0eaf69303bffd9233aa64daf829d3b29e54 Mon Sep 17 00:00:00 2001
From: Art Lukyanchyk <artiom.lukyanchyk@hs-hannover.de>
Date: Tue, 15 Aug 2017 15:26:07 +0200
Subject: [PATCH] Make Tim and Dennis more happy. Make Art less happy.

Also allow direct user permissions.
---
 ssoauth/auth_utils.py | 11 +++++++----
 ssoauth/checks.py     | 14 --------------
 ssoauth/views.py      |  1 +
 3 files changed, 8 insertions(+), 18 deletions(-)

diff --git a/ssoauth/auth_utils.py b/ssoauth/auth_utils.py
index 8a87d06..2ed213e 100644
--- a/ssoauth/auth_utils.py
+++ b/ssoauth/auth_utils.py
@@ -83,10 +83,7 @@ def get_or_create_user(uuid, username):
     if not user:
         user = create_user(uuid, username)  # create if not present
     # sanity check
-    if user and user.user_permissions.all().count():
-        logger.error("Who assigned permissions directly to user {user}?! Removing: {perms}".format(
-            user=user, perms=", ".join(str(p) for p in user.user_permissions)))
-        user.user_permissions.clear()
+    cleanup_direct_permissions(user)
     return user
 
 
@@ -124,6 +121,12 @@ def set_user_groups(user, group_dn_list):
         user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups), dn_n=len(group_dn_list)))
 
 
+def cleanup_direct_permissions(user):
+    if user.user_permissions.exists():
+        logger.critical("Who attached permissions directly to {user} ?!?!".format(**locals()))
+        user.user_permissions.clear()
+
+
 def set_user_compat_flags(user):
     is_active = True
     user.is_staff = False
diff --git a/ssoauth/checks.py b/ssoauth/checks.py
index 2b18c7e..615b31a 100644
--- a/ssoauth/checks.py
+++ b/ssoauth/checks.py
@@ -49,20 +49,6 @@ def compatible_user_model(app_configs, **kwargs):
     return errors
 
 
-@register(Tags.security)
-@_ignore_db_errors
-def no_direct_user_permissions(app_configs, **kwargs):
-    errors = list()
-    qs_bad_users = get_user_model().objects.filter(user_permissions__isnull=False)
-    if qs_bad_users.count() is not 0:
-        errors.append(Error(
-            "Detected directly assigned permissions. Truncate the User<->Permission table. Investigate the reason. " +
-            "Bad users: {0}".format(", ".join(u.username for u in qs_bad_users)),
-            obj=get_user_model(),
-        ))
-    return errors
-
-
 @register(Tags.urls)
 def auth_urls_configured(app_configs, **kwargs):
     errors = list()
diff --git a/ssoauth/views.py b/ssoauth/views.py
index 1ee0733..8ab9f42 100644
--- a/ssoauth/views.py
+++ b/ssoauth/views.py
@@ -118,6 +118,7 @@ class ACSAuthNView(SAMLMixin, View):
             user=user,
             group_dn_list=get_attr("idm_groups", nullable=True, multivalued=True) or list()
         )
+        auth_utils.cleanup_direct_permissions(user=user)
         auth_utils.set_user_compat_flags(user=user)
         request.user = user
         contrib_auth.login(request, user)
-- 
GitLab