ldap: Fix bad interaction between EMAIL_ADDRESS_VISIBILITY and LDAP sync.

A block of LDAP integration code related to data synchronization did not correctly handle EMAIL_ADDRESS_VISIBILITY_ADMINS, as it was accessing .email, not .delivery_email, both for logging and doing the mapping between email addresses and LDAP users. Fixes #13539.
2025-11-04 05:53:43 +00:00 · 2019-12-15 11:10:09 -08:00
parent 998b52dd8c
commit 02169c48cf
2 changed files with 19 additions and 6 deletions
--- a/zproject/backends.py
+++ b/zproject/backends.py
@@ -682,13 +682,13 @@ class ZulipLDAPUserPopulator(ZulipLDAPAuthBackendBase):
            if user_disabled_in_ldap:
                if user.is_active:
                    logging.info("Deactivating user %s because they are disabled in LDAP." %
-                                 (user.email,))
+                                 (user.delivery_email,))
                    do_deactivate_user(user)
                # Do an early return to avoid trying to sync additional data.
                return (user, built)
            elif not user.is_active:
                logging.info("Reactivating user %s because they are not disabled in LDAP." %
-                             (user.email,))
+                             (user.delivery_email,))
                do_reactivate_user(user)

        self.sync_avatar_from_ldap(user, ldap_user)
@@ -717,14 +717,14 @@ def catch_ldap_error(signal: Signal, **kwargs: Any) -> None:
 def sync_user_from_ldap(user_profile: UserProfile, logger: logging.Logger) -> bool:
    backend = ZulipLDAPUserPopulator()
    try:
-        ldap_username = backend.django_to_ldap_username(user_profile.email)
+        ldap_username = backend.django_to_ldap_username(user_profile.delivery_email)
    except ZulipLDAPExceptionNoMatchingLDAPUser:
        if settings.LDAP_DEACTIVATE_NON_MATCHING_USERS:
            do_deactivate_user(user_profile)
-            logger.info("Deactivated non-matching user: %s" % (user_profile.email,))
+            logger.info("Deactivated non-matching user: %s" % (user_profile.delivery_email,))
            return True
        elif user_profile.is_active:
-            logger.warning("Did not find %s in LDAP." % (user_profile.email,))
+            logger.warning("Did not find %s in LDAP." % (user_profile.delivery_email,))
        return False

    # What one would expect to see like to do here is just a call to
@@ -744,7 +744,7 @@ def sync_user_from_ldap(user_profile: UserProfile, logger: logging.Logger) -> bo
    # making this flow possible in a more directly supported fashion.
    updated_user = ZulipLDAPUser(backend, ldap_username, realm=user_profile.realm).populate_user()
    if updated_user:
-        logger.info("Updated %s." % (user_profile.email,))
+        logger.info("Updated %s." % (user_profile.delivery_email,))
        return True

    raise PopulateUserLDAPError("populate_user unexpectedly returned {}".format(updated_user))