diff options
| author | Kelley Spoon <kelley.spoon@linaro.org> | 2022-02-02 04:59:01 -0600 |
|---|---|---|
| committer | Kelley Spoon <kelley.spoon@linaro.org> | 2022-02-02 11:02:51 +0000 |
| commit | c43b8fd558fa4871f84697dd10c5a344be23b914 (patch) | |
| tree | 408c7002b36629b8e183a9b49471e8f366ab392f | |
| parent | 6f19b63a6e257d9ac51eec9d4783579fabe0d840 (diff) | |
group_auth_ldap: fix an error with user group authorization
There is a bug in the ldap group authorization code
where we use the full django username for authentication
(which is the full email), but only the UID (first.lastname)
is stored in the group membership table.
We should also take this time to just try to look up
the UID in the groups table instead of trying to build
a list of group memberships for the user and compare
that to the required groups.
Change-Id: I41209fb8745a6225f3e7344910dc89c19d336a76
Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org>
Reviewed-on: https://review.linaro.org/c/infrastructure/linaro-license-protection/+/40448
| -rw-r--r-- | license_protected_downloads/group_auth_ldap.py | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/license_protected_downloads/group_auth_ldap.py b/license_protected_downloads/group_auth_ldap.py index 07f7a77..3896beb 100644 --- a/license_protected_downloads/group_auth_ldap.py +++ b/license_protected_downloads/group_auth_ldap.py @@ -16,15 +16,12 @@ def process_group_auth(request, required_groups): if not request.user.is_authenticated(): return redirect(settings.LOGIN_URL + "?next=" + request.path) - user = request.user.username + user = request.user.username.split('@').pop(0) log.warn("Authenticating using LDAP API: %s", user) ldap_groups = linaro_ldap.get_groups_and_users() - user_groups = [g for g in ldap_groups if user in ldap_groups[g]] - log.info("User groups are: %s", user_groups) - - for user_group in user_groups: - if user_group in required_groups: + for group in required_groups: + if user in ldap_groups[group]: return True return False |