mirror of
https://github.com/zulip/zulip.git
synced 2025-11-03 21:43:21 +00:00
6ea67a7df2
This was broken, due the mechanism simply using our is_guest/is_realm_admin/etc. role setters, but failing to adjust system group memberships - resulting in corrupted database state. We need to ensure that change_user_role is called for setting user role. There are two relevant codepaths that run the sync based on AUTH_LDAP_USER_FLAGS_BY_GROUP and thus need to get this right: 1. manage.py sync_ldap_user_data 2. Just-in-time user creation when a user without a Zulip account logs in for the first using their ldap credentials. After get_or_build_user returns, django-auth-ldap sees that the user account has just been created, and proceeds to run ._populate_user(). Now that both user.save() and do_change_user_realm will be getting called together, we need to ensure this always happens atomically. This imposes the need to override _get_or_create_user to put it in a transaction. The troublesome consequence is that this new `atomic(savepoint=False)` causes the usual type of issue, where tests testing error get their transaction rolled back and cannot continue executing. To get around that, we add a test helper `artificial_transaction_savepoint` which allows these tests to wrap their problematic blocks in an artificial transaction which provides a savepoint, thus preventing the full test transaction rollback derailing the rest of the test.