From 21f5a55e2f8fb0c3d640aced86850f207bc11c24 Mon Sep 17 00:00:00 2001
From: Robert Sparks <rjsparks@nostrum.com>
Date: Mon, 11 Oct 2021 19:08:46 +0000
Subject: [PATCH] Only show roles in active roups in the oidc roles claim.
Fixes #3424. Commit ready for merge. - Legacy-Id: 19412
---
ietf/ietfauth/tests.py | 5 ++++-
ietf/ietfauth/utils.py | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/ietf/ietfauth/tests.py b/ietf/ietfauth/tests.py
index ec23b69a6..737af3e2e 100644
--- a/ietf/ietfauth/tests.py
+++ b/ietf/ietfauth/tests.py
@@ -810,7 +810,8 @@ class OpenIDConnectTests(TestCase):
# Get a user for which we want to get access
person = PersonFactory(with_bio=True)
- RoleFactory(name_id='chair', person=person)
+ active_group = RoleFactory(name_id='chair', person=person).group
+ closed_group = RoleFactory(name_id='chair', person=person, group__state_id='conclude').group
# an additional email
EmailFactory(person=person)
email_list = person.email_set.all().values_list('address', flat=True)
@@ -880,6 +881,8 @@ class OpenIDConnectTests(TestCase):
self.assertTrue(userinfo[key])
self.assertIn('remote', set(userinfo['reg_type'].split()))
self.assertNotIn('hackathon', set(userinfo['reg_type'].split()))
+ self.assertIn(active_group.acronym, [i[1] for i in userinfo['roles']])
+ self.assertNotIn(closed_group.acronym, [i[1] for i in userinfo['roles']])
# Create another registration, with a different email
MeetingRegistration.objects.create(
diff --git a/ietf/ietfauth/utils.py b/ietf/ietfauth/utils.py
index 40042fbfd..9e9126fe3 100644
--- a/ietf/ietfauth/utils.py
+++ b/ietf/ietfauth/utils.py
@@ -247,7 +247,7 @@ class OidcExtraScopeClaims(oidc_provider.lib.claims.ScopeClaims):
)
def scope_roles(self):
- roles = self.user.person.role_set.values_list('name__slug', 'group__acronym')
+ roles = self.user.person.role_set.filter(group__state_id__in=('active','bof','proposed')).values_list('name__slug', 'group__acronym')
info = {
'roles': list(roles)
}