Make Tim and Dennis more happy. Make Art less happy.

Also allow direct user permissions.

Make Tim and Dennis more happy. Make Art less happy.
546ca0ea · Art · 5a93970f · 546ca0ea · 546ca0ea · 546ca0ea
Commit 546ca0ea authored 7 years ago by Art
--- a/ssoauth/auth_utils.py
+++ b/ssoauth/auth_utils.py
@@ -83,10 +83,7 @@ def get_or_create_user(uuid, username):
    if not user:
        user = create_user(uuid, username)  # create if not present
    # sanity check
-    if user and user.user_permissions.all().count():
-        logger.error("Who assigned permissions directly to user {user}?! Removing: {perms}".format(
-            user=user, perms=", ".join(str(p) for p in user.user_permissions)))
-        user.user_permissions.clear()
+    cleanup_direct_permissions(user)
    return user


@@ -124,6 +121,12 @@ def set_user_groups(user, group_dn_list):
        user=user, g_n=len(groups), g_names=", ".join(str(g) for g in groups), dn_n=len(group_dn_list)))


+def cleanup_direct_permissions(user):
+    if user.user_permissions.exists():
+        logger.critical("Who attached permissions directly to {user} ?!?!".format(**locals()))
+        user.user_permissions.clear()
+
+
 def set_user_compat_flags(user):
    is_active = True
    user.is_staff = False

--- a/ssoauth/checks.py
+++ b/ssoauth/checks.py
@@ -49,20 +49,6 @@ def compatible_user_model(app_configs, **kwargs):
    return errors


-@register(Tags.security)
-@_ignore_db_errors
-def no_direct_user_permissions(app_configs, **kwargs):
-    errors = list()
-    qs_bad_users = get_user_model().objects.filter(user_permissions__isnull=False)
-    if qs_bad_users.count() is not 0:
-        errors.append(Error(
-            "Detected directly assigned permissions. Truncate the User<->Permission table. Investigate the reason. " +
-            "Bad users: {0}".format(", ".join(u.username for u in qs_bad_users)),
-            obj=get_user_model(),
-        ))
-    return errors
-
-
 @register(Tags.urls)
 def auth_urls_configured(app_configs, **kwargs):
    errors = list()

--- a/ssoauth/views.py
+++ b/ssoauth/views.py
@@ -118,6 +118,7 @@ class ACSAuthNView(SAMLMixin, View):
            user=user,
            group_dn_list=get_attr("idm_groups", nullable=True, multivalued=True) or list()
        )
+        auth_utils.cleanup_direct_permissions(user=user)
        auth_utils.set_user_compat_flags(user=user)
        request.user = user
        contrib_auth.login(request, user)