do not remove the default user group when refreshing permissions w/ burnettk

This commit is contained in:
jasquat 2023-02-15 11:09:04 -05:00
parent 83bd4f1cb3
commit 7b96335221
5 changed files with 34 additions and 10 deletions

View File

@ -124,6 +124,9 @@ def setup_config(app: Flask) -> None:
setup_database_uri(app)
setup_logger(app)
if app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] == "":
app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] = None
thread_local_data = threading.local()
app.config["THREAD_LOCAL_DATA"] = thread_local_data
_set_up_tenant_specific_fields_as_list_of_strings(app)

View File

@ -93,3 +93,7 @@ ALLOW_CONFISCATING_LOCK_AFTER_SECONDS = int(
# and store in the user table's tenant_specific_field_n columns. You can have up to three items in this
# comma-separated list.
TENANT_SPECIFIC_FIELDS = environ.get("TENANT_SPECIFIC_FIELDS")
SPIFFWORKFLOW_DEFAULT_USER_GROUP = environ.get(
"SPIFFWORKFLOW_DEFAULT_USER_GROUP", default="everybody"
)

View File

@ -1,5 +1,6 @@
"""Users_controller."""
import flask
from flask import current_app
from flask import g
from flask import jsonify
from flask import make_response
@ -22,5 +23,9 @@ def user_group_list_for_current_user() -> flask.wrappers.Response:
"""User_group_list_for_current_user."""
groups = g.user.groups
# TODO: filter out the default group and have a way to know what is the default group
group_identifiers = [i.identifier for i in groups if i.identifier != "everybody"]
group_identifiers = [
i.identifier
for i in groups
if i.identifier != current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
]
return make_response(jsonify(sorted(group_identifiers)), 200)

View File

@ -169,8 +169,11 @@ class AuthenticationService:
iat = decoded_token["iat"]
if iss != cls.server_url():
valid = False
elif aud not in (cls.client_id(), "account") and\
aud != [cls.client_id(), "account"]:
# aud could be an array or a string
elif aud not in (cls.client_id(), "account") and aud != [
cls.client_id(),
"account",
]:
valid = False
elif azp and azp not in (
cls.client_id(),

View File

@ -141,7 +141,6 @@ class AuthorizationService:
)
.all()
)
for permission_assignment in permission_assignments:
if permission_assignment.grant_type == "permit":
return True
@ -795,13 +794,23 @@ class AuthorizationService:
db.session.delete(ipa)
for iutga in initial_user_to_group_assignments:
current_user_dict: UserToGroupDict = {
"username": iutga.user.username,
"group_identifier": iutga.group.identifier,
}
if current_user_dict not in desired_user_to_group_identifiers:
db.session.delete(iutga)
# do not remove users from the default user group
if (
current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] is None
or current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
!= iutga.group.identifier
):
current_user_dict: UserToGroupDict = {
"username": iutga.user.username,
"group_identifier": iutga.group.identifier,
}
if current_user_dict not in desired_user_to_group_identifiers:
db.session.delete(iutga)
# do not remove the default user group
desired_group_identifiers.add(
current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
)
groups_to_delete = GroupModel.query.filter(
GroupModel.identifier.not_in(desired_group_identifiers)
).all()