register: Allow creating non-ldap users via social backends.

In configurations that use the ldap authentication backend and a social
backend, make it possible to create non-ldap users via the social backend.
This commit is contained in:
Mateusz Mandera
2019-11-21 14:48:49 +01:00
committed by Tim Abbott
parent fcc91ae370
commit 74dd21c8fa
2 changed files with 35 additions and 7 deletions

View File

@@ -996,6 +996,38 @@ class SocialAuthBase(ZulipTestCase):
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
skip_registration_form=self.BACKEND_CLASS.full_name_validated)
@override_settings(TERMS_OF_SERVICE=None)
def test_social_auth_with_ldap_auth_registration_from_confirmation(self) -> None:
"""
This test checks that in configurations that use the ldap authentication backend
and a social backend, it is possible to create non-ldap users via the social backend.
"""
self.init_default_ldap_database()
email = self.nonreg_email("alice")
name = "Alice Social"
realm = get_realm("zulip")
subdomain = "zulip"
ldap_user_attr_map = {'full_name': 'cn'}
account_data_dict = self.get_account_data_dict(email=email, name=name)
backend_path = 'zproject.backends.{}'.format(self.BACKEND_CLASS.__name__)
with self.settings(
POPULATE_PROFILE_VIA_LDAP=True,
LDAP_EMAIL_ATTR='mail',
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
AUTHENTICATION_BACKENDS=(backend_path,
'zproject.backends.ZulipLDAPAuthBackend',
'zproject.backends.ZulipDummyBackend')
):
account_data_dict = self.get_account_data_dict(email=email, name=name)
result = self.social_auth_test(account_data_dict,
expect_choose_email_screen=True,
subdomain=subdomain, is_signup='1')
# Full name should get populated as provided by the social backend, because
# this user isn't in the ldap dictionary:
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
skip_registration_form=self.BACKEND_CLASS.full_name_validated)
def test_social_auth_complete(self) -> None:
with mock.patch('social_core.backends.oauth.BaseOAuth2.process_error',
side_effect=AuthFailed('Not found')):

View File

@@ -35,7 +35,7 @@ from zerver.views.auth import create_preregistration_user, redirect_and_log_into
from zproject.backends import ldap_auth_enabled, password_auth_enabled, \
ZulipLDAPExceptionNoMatchingLDAPUser, email_auth_enabled, ZulipLDAPAuthBackend, \
email_belongs_to_ldap
email_belongs_to_ldap, any_social_backend_enabled
from confirmation.models import Confirmation, RealmCreationKey, ConfirmationKeyException, \
validate_key, create_confirmation_link, get_object_from_key, \
@@ -280,24 +280,20 @@ def accounts_register(request: HttpRequest) -> HttpResponse:
prereg_user=prereg_user,
return_data=return_data)
if user_profile is None:
can_use_different_backend = email_auth_enabled(realm)
can_use_different_backend = email_auth_enabled(realm) or any_social_backend_enabled(realm)
if settings.LDAP_APPEND_DOMAIN:
# In LDAP_APPEND_DOMAIN configurations, we don't allow making a non-ldap account
# if the email matches the ldap domain.
can_use_different_backend = can_use_different_backend and (
not email_belongs_to_ldap(realm, email))
if return_data.get("no_matching_ldap_user") and can_use_different_backend:
# If both the LDAP and Email auth backends are
# If both the LDAP and Email or Social auth backends are
# enabled, and there's no matching user in the LDAP
# directory then the intent is to create a user in the
# realm with their email outside the LDAP organization
# (with e.g. a password stored in the Zulip database,
# not LDAP). So we fall through and create the new
# account.
#
# It's likely that we can extend this block to the
# Google and GitHub auth backends with no code changes
# other than here.
pass
else:
# TODO: This probably isn't going to give a