mirror of
https://github.com/zulip/zulip.git
synced 2025-11-04 05:53:43 +00:00
register: Allow creating non-ldap users via social backends.
In configurations that use the ldap authentication backend and a social backend, make it possible to create non-ldap users via the social backend.
This commit is contained in:
Mateusz Mandera
committed by
Tim Abbott
Tim Abbott
parent
fcc91ae370
commit
74dd21c8fa
@@ -996,6 +996,38 @@ class SocialAuthBase(ZulipTestCase):
|
|||||||
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
|
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
|
||||||
skip_registration_form=self.BACKEND_CLASS.full_name_validated)
|
skip_registration_form=self.BACKEND_CLASS.full_name_validated)
|
||||||
|
|
||||||
|
@override_settings(TERMS_OF_SERVICE=None)
|
||||||
|
def test_social_auth_with_ldap_auth_registration_from_confirmation(self) -> None:
|
||||||
|
"""
|
||||||
|
This test checks that in configurations that use the ldap authentication backend
|
||||||
|
and a social backend, it is possible to create non-ldap users via the social backend.
|
||||||
|
"""
|
||||||
|
self.init_default_ldap_database()
|
||||||
|
email = self.nonreg_email("alice")
|
||||||
|
name = "Alice Social"
|
||||||
|
realm = get_realm("zulip")
|
||||||
|
subdomain = "zulip"
|
||||||
|
ldap_user_attr_map = {'full_name': 'cn'}
|
||||||
|
account_data_dict = self.get_account_data_dict(email=email, name=name)
|
||||||
|
|
||||||
|
backend_path = 'zproject.backends.{}'.format(self.BACKEND_CLASS.__name__)
|
||||||
|
with self.settings(
|
||||||
|
POPULATE_PROFILE_VIA_LDAP=True,
|
||||||
|
LDAP_EMAIL_ATTR='mail',
|
||||||
|
AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map,
|
||||||
|
AUTHENTICATION_BACKENDS=(backend_path,
|
||||||
|
'zproject.backends.ZulipLDAPAuthBackend',
|
||||||
|
'zproject.backends.ZulipDummyBackend')
|
||||||
|
):
|
||||||
|
account_data_dict = self.get_account_data_dict(email=email, name=name)
|
||||||
|
result = self.social_auth_test(account_data_dict,
|
||||||
|
expect_choose_email_screen=True,
|
||||||
|
subdomain=subdomain, is_signup='1')
|
||||||
|
# Full name should get populated as provided by the social backend, because
|
||||||
|
# this user isn't in the ldap dictionary:
|
||||||
|
self.stage_two_of_registration(result, realm, subdomain, email, name, name,
|
||||||
|
skip_registration_form=self.BACKEND_CLASS.full_name_validated)
|
||||||
|
|
||||||
def test_social_auth_complete(self) -> None:
|
def test_social_auth_complete(self) -> None:
|
||||||
with mock.patch('social_core.backends.oauth.BaseOAuth2.process_error',
|
with mock.patch('social_core.backends.oauth.BaseOAuth2.process_error',
|
||||||
side_effect=AuthFailed('Not found')):
|
side_effect=AuthFailed('Not found')):
|
||||||
|
|||||||
@@ -35,7 +35,7 @@ from zerver.views.auth import create_preregistration_user, redirect_and_log_into
|
|||||||
|
|
||||||
from zproject.backends import ldap_auth_enabled, password_auth_enabled, \
|
from zproject.backends import ldap_auth_enabled, password_auth_enabled, \
|
||||||
ZulipLDAPExceptionNoMatchingLDAPUser, email_auth_enabled, ZulipLDAPAuthBackend, \
|
ZulipLDAPExceptionNoMatchingLDAPUser, email_auth_enabled, ZulipLDAPAuthBackend, \
|
||||||
email_belongs_to_ldap
|
email_belongs_to_ldap, any_social_backend_enabled
|
||||||
|
|
||||||
from confirmation.models import Confirmation, RealmCreationKey, ConfirmationKeyException, \
|
from confirmation.models import Confirmation, RealmCreationKey, ConfirmationKeyException, \
|
||||||
validate_key, create_confirmation_link, get_object_from_key, \
|
validate_key, create_confirmation_link, get_object_from_key, \
|
||||||
@@ -280,24 +280,20 @@ def accounts_register(request: HttpRequest) -> HttpResponse:
|
|||||||
prereg_user=prereg_user,
|
prereg_user=prereg_user,
|
||||||
return_data=return_data)
|
return_data=return_data)
|
||||||
if user_profile is None:
|
if user_profile is None:
|
||||||
can_use_different_backend = email_auth_enabled(realm)
|
can_use_different_backend = email_auth_enabled(realm) or any_social_backend_enabled(realm)
|
||||||
if settings.LDAP_APPEND_DOMAIN:
|
if settings.LDAP_APPEND_DOMAIN:
|
||||||
# In LDAP_APPEND_DOMAIN configurations, we don't allow making a non-ldap account
|
# In LDAP_APPEND_DOMAIN configurations, we don't allow making a non-ldap account
|
||||||
# if the email matches the ldap domain.
|
# if the email matches the ldap domain.
|
||||||
can_use_different_backend = can_use_different_backend and (
|
can_use_different_backend = can_use_different_backend and (
|
||||||
not email_belongs_to_ldap(realm, email))
|
not email_belongs_to_ldap(realm, email))
|
||||||
if return_data.get("no_matching_ldap_user") and can_use_different_backend:
|
if return_data.get("no_matching_ldap_user") and can_use_different_backend:
|
||||||
# If both the LDAP and Email auth backends are
|
# If both the LDAP and Email or Social auth backends are
|
||||||
# enabled, and there's no matching user in the LDAP
|
# enabled, and there's no matching user in the LDAP
|
||||||
# directory then the intent is to create a user in the
|
# directory then the intent is to create a user in the
|
||||||
# realm with their email outside the LDAP organization
|
# realm with their email outside the LDAP organization
|
||||||
# (with e.g. a password stored in the Zulip database,
|
# (with e.g. a password stored in the Zulip database,
|
||||||
# not LDAP). So we fall through and create the new
|
# not LDAP). So we fall through and create the new
|
||||||
# account.
|
# account.
|
||||||
#
|
|
||||||
# It's likely that we can extend this block to the
|
|
||||||
# Google and GitHub auth backends with no code changes
|
|
||||||
# other than here.
|
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
# TODO: This probably isn't going to give a
|
# TODO: This probably isn't going to give a
|
||||||
|
|||||||
Reference in New Issue
Block a user