Only show roles in active roups in the oidc roles claim. Fixes #3424.…

… Commit ready for merge. - Legacy-Id: 19412
ietf-tools · Oct 11, 2021 · 21f5a55 · 21f5a55
1 parent d1a9f0d
commit 21f5a55
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/ietf/ietfauth/tests.py b/ietf/ietfauth/tests.py
@@ -810,7 +810,8 @@ def test_oidc_code_auth(self):
 
             # Get a user for which we want to get access
             person = PersonFactory(with_bio=True)
-            RoleFactory(name_id='chair', person=person)
+            active_group = RoleFactory(name_id='chair', person=person).group
+            closed_group = RoleFactory(name_id='chair', person=person, group__state_id='conclude').group
             # an additional email
             EmailFactory(person=person)
             email_list = person.email_set.all().values_list('address', flat=True)
@@ -880,6 +881,8 @@ def test_oidc_code_auth(self):
                 self.assertTrue(userinfo[key])
             self.assertIn('remote', set(userinfo['reg_type'].split()))
             self.assertNotIn('hackathon', set(userinfo['reg_type'].split()))
+            self.assertIn(active_group.acronym, [i[1] for i in userinfo['roles']])
+            self.assertNotIn(closed_group.acronym, [i[1] for i in userinfo['roles']])
 
             # Create another registration, with a different email
             MeetingRegistration.objects.create(

diff --git a/ietf/ietfauth/utils.py b/ietf/ietfauth/utils.py
@@ -247,7 +247,7 @@ class OidcExtraScopeClaims(oidc_provider.lib.claims.ScopeClaims):
         )
 
     def scope_roles(self):
-        roles = self.user.person.role_set.values_list('name__slug', 'group__acronym')
+        roles = self.user.person.role_set.filter(group__state_id__in=('active','bof','proposed')).values_list('name__slug', 'group__acronym')
         info = {
                 'roles': list(roles)
             }