From 21f5a55e2f8fb0c3d640aced86850f207bc11c24 Mon Sep 17 00:00:00 2001 From: Robert Sparks Date: Mon, 11 Oct 2021 19:08:46 +0000 Subject: [PATCH] Only show roles in active roups in the oidc roles claim. Fixes #3424. Commit ready for merge. - Legacy-Id: 19412 --- ietf/ietfauth/tests.py | 5 ++++- ietf/ietfauth/utils.py | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ietf/ietfauth/tests.py b/ietf/ietfauth/tests.py index ec23b69a65..737af3e2ea 100644 --- a/ietf/ietfauth/tests.py +++ b/ietf/ietfauth/tests.py @@ -810,7 +810,8 @@ def test_oidc_code_auth(self): # Get a user for which we want to get access person = PersonFactory(with_bio=True) - RoleFactory(name_id='chair', person=person) + active_group = RoleFactory(name_id='chair', person=person).group + closed_group = RoleFactory(name_id='chair', person=person, group__state_id='conclude').group # an additional email EmailFactory(person=person) email_list = person.email_set.all().values_list('address', flat=True) @@ -880,6 +881,8 @@ def test_oidc_code_auth(self): self.assertTrue(userinfo[key]) self.assertIn('remote', set(userinfo['reg_type'].split())) self.assertNotIn('hackathon', set(userinfo['reg_type'].split())) + self.assertIn(active_group.acronym, [i[1] for i in userinfo['roles']]) + self.assertNotIn(closed_group.acronym, [i[1] for i in userinfo['roles']]) # Create another registration, with a different email MeetingRegistration.objects.create( diff --git a/ietf/ietfauth/utils.py b/ietf/ietfauth/utils.py index 40042fbfdc..9e9126fe3f 100644 --- a/ietf/ietfauth/utils.py +++ b/ietf/ietfauth/utils.py @@ -247,7 +247,7 @@ class OidcExtraScopeClaims(oidc_provider.lib.claims.ScopeClaims): ) def scope_roles(self): - roles = self.user.person.role_set.values_list('name__slug', 'group__acronym') + roles = self.user.person.role_set.filter(group__state_id__in=('active','bof','proposed')).values_list('name__slug', 'group__acronym') info = { 'roles': list(roles) }