contrib: CERN<->group linking

[crepererum]

• Links user to existing groups if invenio-groups is installed.

Signed-off-by: Marco Neumann marco@crepererum.net

[jirikuncar]

is it possible that we don't get a user from https://github.com/inveniosoftware/invenio-oauthclient/pull/7/files#diff-b49dd27458efb60f2de74978e6d3eecfR211?

If the user is empty we should probably better logout the user. WDYT?

[crepererum]

CC @ludmilamarian what do you think?

[ludmilamarian]

I'm thinking that the cern client (as well as the other clients) should only be a thin layer that handles specific client data, and all the logic and making sure that the user/token/etc. are well created and made available to the application should be taken care of in the oauthclient handlers - which I think is already the case. account_setup function should not even be called if anything is wrong with creating/fetching the user.

[ludmilamarian]

Can you register a warning in this case, so that it's clear for the admin why groups are not updated?
I'm not sure how we will use the invenio-groups module - I don't think we are using the groups now, but it's good to have it in the logs if anything is expected, but it's not installed.
One more thing: how do you remove people from groups in this case?

[jirikuncar]

@ludmilamarian was there any configuration option before for synchronizing Invenio groups with CERN LDAP groups?

[ludmilamarian]

This is what I was discussing with @crepererum IRL just now - we are not using Invenio groups as far as I know, but we are relying on the groups that we receive each time via SSO and are stored in the user_info / current_user object. So we don't really need any synchro.

[lnielsen]

Wouldn't it be better to complement this via a signal?

[crepererum]

It is there to decide if we do a current_user.reload(). Ideally, our invenio.ext.login.legacy_user module should know do this on its own.

[jirikuncar]

Since #19 has been merged, one can use new signals to update groups.