diff options
authorKelley Spoon <kelley.spoon@linaro.org>2022-02-02 04:59:01 -0600
committerKelley Spoon <kelley.spoon@linaro.org>2022-02-02 11:02:51 +0000
commitc43b8fd558fa4871f84697dd10c5a344be23b914 (patch)
parent6f19b63a6e257d9ac51eec9d4783579fabe0d840 (diff)
group_auth_ldap: fix an error with user group authorization
There is a bug in the ldap group authorization code where we use the full django username for authentication (which is the full email), but only the UID (first.lastname) is stored in the group membership table. We should also take this time to just try to look up the UID in the groups table instead of trying to build a list of group memberships for the user and compare that to the required groups. Change-Id: I41209fb8745a6225f3e7344910dc89c19d336a76 Signed-off-by: Kelley Spoon <kelley.spoon@linaro.org> Reviewed-on: https://review.linaro.org/c/infrastructure/linaro-license-protection/+/40448
1 files changed, 3 insertions, 6 deletions
diff --git a/license_protected_downloads/group_auth_ldap.py b/license_protected_downloads/group_auth_ldap.py
index 07f7a77..3896beb 100644
--- a/license_protected_downloads/group_auth_ldap.py
+++ b/license_protected_downloads/group_auth_ldap.py
@@ -16,15 +16,12 @@ def process_group_auth(request, required_groups):
if not request.user.is_authenticated():
return redirect(settings.LOGIN_URL + "?next=" + request.path)
- user = request.user.username
+ user = request.user.username.split('@').pop(0)
log.warn("Authenticating using LDAP API: %s", user)
ldap_groups = linaro_ldap.get_groups_and_users()
- user_groups = [g for g in ldap_groups if user in ldap_groups[g]]
- log.info("User groups are: %s", user_groups)
- for user_group in user_groups:
- if user_group in required_groups:
+ for group in required_groups:
+ if user in ldap_groups[group]:
return True
return False