paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-05 14:35:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
0227e59d5eacffc3aab76fce04aaefe43eea6105
zulip/zerver/management/commands/sync_ldap_user_data.py
Tim Abbott 01d8236c47 ldap: Check for deactivating owner role precisely. 
Since the invariant we're trying to protect is that every realm has an
active owner, we should check precisely that.

The root bug here, which the parent commit failed to fix properly, is
that we were doing a "greater than" check when we clearly originally
meant a "less than" check -- lower role numbers have more permissions.
2021-05-06 10:14:22 -07:00

72 lines
3.3 KiB
Python
Raw Blame History

import logging
from argparse import ArgumentParser
from typing import Any, List
from django.conf import settings
from django.db import transaction
from zerver.lib.logging_util import log_to_file
from zerver.lib.management import ZulipBaseCommand
from zerver.models import UserProfile
from zproject.backends import ZulipLDAPException, sync_user_from_ldap
## Setup ##
logger = logging.getLogger('zulip.sync_ldap_user_data')
log_to_file(logger, settings.LDAP_SYNC_LOG_PATH)
# Run this on a cronjob to pick up on name changes.
def sync_ldap_user_data(user_profiles: List[UserProfile], deactivation_protection: bool=True) -> None:
logger.info("Starting update.")
with transaction.atomic():
realms = {u.realm.string_id for u in user_profiles}
for u in user_profiles:
# This will save the user if relevant, and will do nothing if the user
# does not exist.
try:
sync_user_from_ldap(u, logger)
except ZulipLDAPException as e:
logger.error("Error attempting to update user %s:", u.delivery_email)
logger.error(e.args[0])
if deactivation_protection:
if not UserProfile.objects.filter(is_bot=False, is_active=True).exists():
error_msg = ("Ldap sync would have deactivated all users. This is most likely due " +
"to a misconfiguration of ldap settings. Rolling back...\n" +
"Use the --force option if the mass deactivation is intended.")
logger.error(error_msg)
# Raising an exception in this atomic block will rollback the transaction.
raise Exception(error_msg)
for string_id in realms:
if not UserProfile.objects.filter(is_bot=False, is_active=True, realm__string_id=string_id,
role=UserProfile.ROLE_REALM_OWNER).exists():
error_msg = ("Ldap sync would have deactivated all owners of realm %s. " +
"This is most likely due " +
"to a misconfiguration of ldap settings. Rolling back...\n" +
"Use the --force option if the mass deactivation is intended.")
error_msg = error_msg % (string_id,)
logger.error(error_msg)
raise Exception(error_msg)
logger.info("Finished update.")
class Command(ZulipBaseCommand):
def add_arguments(self, parser: ArgumentParser) -> None:
parser.add_argument('-f', '--force',
dest='force',
action="store_true",
default=False,
help='Disable the protection against deactivating all users.')
self.add_realm_args(parser)
self.add_user_list_args(parser)
def handle(self, *args: Any, **options: Any) -> None:
if options.get('realm_id') is not None:
realm = self.get_realm(options)
user_profiles = self.get_users(options, realm, is_bot=False,
include_deactivated=True)
else:
user_profiles = UserProfile.objects.select_related().filter(is_bot=False)
sync_ldap_user_data(user_profiles, not options['force'])
Reference in New Issue View Git Blame Copy Permalink