do not remove the default user group when refreshing permissions w/ burnettk
This commit is contained in:
parent
83bd4f1cb3
commit
7b96335221
|
@ -124,6 +124,9 @@ def setup_config(app: Flask) -> None:
|
||||||
setup_database_uri(app)
|
setup_database_uri(app)
|
||||||
setup_logger(app)
|
setup_logger(app)
|
||||||
|
|
||||||
|
if app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] == "":
|
||||||
|
app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] = None
|
||||||
|
|
||||||
thread_local_data = threading.local()
|
thread_local_data = threading.local()
|
||||||
app.config["THREAD_LOCAL_DATA"] = thread_local_data
|
app.config["THREAD_LOCAL_DATA"] = thread_local_data
|
||||||
_set_up_tenant_specific_fields_as_list_of_strings(app)
|
_set_up_tenant_specific_fields_as_list_of_strings(app)
|
||||||
|
|
|
@ -93,3 +93,7 @@ ALLOW_CONFISCATING_LOCK_AFTER_SECONDS = int(
|
||||||
# and store in the user table's tenant_specific_field_n columns. You can have up to three items in this
|
# and store in the user table's tenant_specific_field_n columns. You can have up to three items in this
|
||||||
# comma-separated list.
|
# comma-separated list.
|
||||||
TENANT_SPECIFIC_FIELDS = environ.get("TENANT_SPECIFIC_FIELDS")
|
TENANT_SPECIFIC_FIELDS = environ.get("TENANT_SPECIFIC_FIELDS")
|
||||||
|
|
||||||
|
SPIFFWORKFLOW_DEFAULT_USER_GROUP = environ.get(
|
||||||
|
"SPIFFWORKFLOW_DEFAULT_USER_GROUP", default="everybody"
|
||||||
|
)
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
"""Users_controller."""
|
"""Users_controller."""
|
||||||
import flask
|
import flask
|
||||||
|
from flask import current_app
|
||||||
from flask import g
|
from flask import g
|
||||||
from flask import jsonify
|
from flask import jsonify
|
||||||
from flask import make_response
|
from flask import make_response
|
||||||
|
@ -22,5 +23,9 @@ def user_group_list_for_current_user() -> flask.wrappers.Response:
|
||||||
"""User_group_list_for_current_user."""
|
"""User_group_list_for_current_user."""
|
||||||
groups = g.user.groups
|
groups = g.user.groups
|
||||||
# TODO: filter out the default group and have a way to know what is the default group
|
# TODO: filter out the default group and have a way to know what is the default group
|
||||||
group_identifiers = [i.identifier for i in groups if i.identifier != "everybody"]
|
group_identifiers = [
|
||||||
|
i.identifier
|
||||||
|
for i in groups
|
||||||
|
if i.identifier != current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
|
||||||
|
]
|
||||||
return make_response(jsonify(sorted(group_identifiers)), 200)
|
return make_response(jsonify(sorted(group_identifiers)), 200)
|
||||||
|
|
|
@ -169,8 +169,11 @@ class AuthenticationService:
|
||||||
iat = decoded_token["iat"]
|
iat = decoded_token["iat"]
|
||||||
if iss != cls.server_url():
|
if iss != cls.server_url():
|
||||||
valid = False
|
valid = False
|
||||||
elif aud not in (cls.client_id(), "account") and\
|
# aud could be an array or a string
|
||||||
aud != [cls.client_id(), "account"]:
|
elif aud not in (cls.client_id(), "account") and aud != [
|
||||||
|
cls.client_id(),
|
||||||
|
"account",
|
||||||
|
]:
|
||||||
valid = False
|
valid = False
|
||||||
elif azp and azp not in (
|
elif azp and azp not in (
|
||||||
cls.client_id(),
|
cls.client_id(),
|
||||||
|
|
|
@ -141,7 +141,6 @@ class AuthorizationService:
|
||||||
)
|
)
|
||||||
.all()
|
.all()
|
||||||
)
|
)
|
||||||
|
|
||||||
for permission_assignment in permission_assignments:
|
for permission_assignment in permission_assignments:
|
||||||
if permission_assignment.grant_type == "permit":
|
if permission_assignment.grant_type == "permit":
|
||||||
return True
|
return True
|
||||||
|
@ -795,6 +794,12 @@ class AuthorizationService:
|
||||||
db.session.delete(ipa)
|
db.session.delete(ipa)
|
||||||
|
|
||||||
for iutga in initial_user_to_group_assignments:
|
for iutga in initial_user_to_group_assignments:
|
||||||
|
# do not remove users from the default user group
|
||||||
|
if (
|
||||||
|
current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"] is None
|
||||||
|
or current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
|
||||||
|
!= iutga.group.identifier
|
||||||
|
):
|
||||||
current_user_dict: UserToGroupDict = {
|
current_user_dict: UserToGroupDict = {
|
||||||
"username": iutga.user.username,
|
"username": iutga.user.username,
|
||||||
"group_identifier": iutga.group.identifier,
|
"group_identifier": iutga.group.identifier,
|
||||||
|
@ -802,6 +807,10 @@ class AuthorizationService:
|
||||||
if current_user_dict not in desired_user_to_group_identifiers:
|
if current_user_dict not in desired_user_to_group_identifiers:
|
||||||
db.session.delete(iutga)
|
db.session.delete(iutga)
|
||||||
|
|
||||||
|
# do not remove the default user group
|
||||||
|
desired_group_identifiers.add(
|
||||||
|
current_app.config["SPIFFWORKFLOW_DEFAULT_USER_GROUP"]
|
||||||
|
)
|
||||||
groups_to_delete = GroupModel.query.filter(
|
groups_to_delete = GroupModel.query.filter(
|
||||||
GroupModel.identifier.not_in(desired_group_identifiers)
|
GroupModel.identifier.not_in(desired_group_identifiers)
|
||||||
).all()
|
).all()
|
||||||
|
|
Loading…
Reference in New Issue