paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-04 05:53:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

auth: Fix re-enabling of SAML/AzureAD in organization settings UI.

Browse Source 
This bug was introduced in da9e4e6e54.
validate validate_plan_for_authentication_methods is already called
inside validate_authentication_methods_dict_from_api, conditionally on
settings.BILLING_ENABLED. This additional, redundant call runs
regardless of BILLING_ENABLED, and thus prevents a self-hosted server
from enabling certain backends in the organization settings UI.

The impact of this is limited - in order to encounter this bug, a
self-hosted server would have to first disable the backend in the UI, as
self-hosted realms are created with all backend flags enabled. A backend
doesn't show up in the org settings UI until it is first enabled in
AUTHENTICATION_BACKENDS in settings.py - that's why this is a rare
state. A sequence of steps like this has to be followed to reproduce:
1. Add the backend to AUTHENTICATION_BACKENDS in settings.py.
2. Disable the backend in the org settings UI.
3. Now try to re-enable it, which fails due to the bug.

(cherry picked from commit 114f13e0ee)
This commit is contained in:
Mateusz Mandera
2024-08-05 23:14:41 +02:00
committed by Tim Abbott
parent 733c5be8a4
commit bbabd51e4a
2 changed files with 15 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
zerver/tests/test_auth_backends.py
View File

@@ -7368,6 +7368,21 @@ class TestAdminSetBackends(ZulipTestCase):
result, "Authentication method AzureAD is not available on your current plan." result, "Authentication method AzureAD is not available on your current plan."
) )
# With BILLING_ENABLED=False, no such restrictions apply.
with self.settings(BILLING_ENABLED=False):
result = self.client_patch(
"/json/realm",
{
"authentication_methods": orjson.dumps(
{"Email": True, "Dev": True, "AzureAD": True}
).decode()
},
)
self.assert_json_success(result)
self.assertEqual(
realm.authentication_methods_dict(), {"Dev": True, "Email": True, "AzureAD": True}
)
class EmailValidatorTestCase(ZulipTestCase): class EmailValidatorTestCase(ZulipTestCase):
def test_valid_email(self) -> None: def test_valid_email(self) -> None:

2
zerver/views/realm.py
View File

@@ -25,7 +25,6 @@ from zerver.actions.realm_settings import (
do_set_realm_zulip_update_announcements_stream, do_set_realm_zulip_update_announcements_stream,
parse_and_set_setting_value_if_required, parse_and_set_setting_value_if_required,
validate_authentication_methods_dict_from_api, validate_authentication_methods_dict_from_api,
validate_plan_for_authentication_methods,
) )
from zerver.decorator import require_realm_admin, require_realm_owner from zerver.decorator import require_realm_admin, require_realm_owner
from zerver.forms import check_subdomain_available as check_subdomain from zerver.forms import check_subdomain_available as check_subdomain
@@ -200,7 +199,6 @@ def update_realm(
validate_authentication_methods_dict_from_api(realm, authentication_methods) validate_authentication_methods_dict_from_api(realm, authentication_methods)
if True not in authentication_methods.values(): if True not in authentication_methods.values():
raise JsonableError(_("At least one authentication method must be enabled.")) raise JsonableError(_("At least one authentication method must be enabled."))
validate_plan_for_authentication_methods(realm, authentication_methods)
if video_chat_provider is not None and video_chat_provider not in { if video_chat_provider is not None and video_chat_provider not in {
p["id"] for p in Realm.VIDEO_CHAT_PROVIDERS.values() p["id"] for p in Realm.VIDEO_CHAT_PROVIDERS.values()