mirror of
https://github.com/zulip/zulip.git
synced 2025-11-16 03:41:58 +00:00
91ec0aba09
Previously, if you had LDAPAuthBackend enabled, we basically blocked any other auth backends from working at all, by requiring the user's login flow include verifying the user's LDAP password. We still want to enforce that in the case that the account email matches LDAP_APPEND_DOMAIN, but there's a reasonable corner case: Having effectively guest users from outside the LDAP domain. We don't want to allow creating a Zulip-level password for a user inside the LDAP domain, so we still verify the LDAP password in that flow, but if the email is allowed to register (due to invite or whatever) but is outside the LDAP domain for the organization, we allow it to create an account and set a password. For the moment, this solution only covers EmailAuthBackend. It's likely that just extending the list of other backends we check for in the new conditional on `email_auth_backend` would be correct, but we haven't done any testing for those cases, and with auth code paths, it's better to disallow than allow untested code paths. Fixes #9422.
24 KiB
24 KiB