Merge pull request #17 from keitaroinc/sysadmin-config-ckan-2.8

If sysadmins_list is not set then do not manage sysadmin permissions …
keitaroinc · Jan 15, 2021 · 700b82c · 700b82c
2 parents c351882 + 316914d
commit 700b82c
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 12 deletions.
diff --git a/README.rst b/README.rst
@@ -121,6 +121,9 @@ Optional::
      ckanext.saml2auth.enable_ckan_internal_login = True
 
      # List of email addresses from users that should be created as sysadmins (system administrators)
+     # Note that this means that CKAN sysadmins will _only_ be managed based on this config option and will override existing user permissions in the CKAN database
+     # If not set then it is ignored and CKAN sysadmins are managed through normal means
+     # Default: <Not set>
      ckanext.saml2auth.sysadmins_list = mail@domain.com mail2@domain.com mail3@domain.com
 
      # Indicates that attributes that are not recognized (they are not configured in attribute-mapping),

diff --git a/bin/travis-build.bash b/bin/travis-build.bash
@@ -28,7 +28,7 @@ sudo -u postgres psql -c "CREATE USER ckan_default WITH PASSWORD 'pass';"
 sudo -u postgres psql -c 'CREATE DATABASE ckan_test WITH OWNER ckan_default;'
 
 echo "Setting up Solr..."
-docker run --name ckan-solr -p 8983:8983 -d openknowledge/ckan-solr-dev:2.8
+docker run --name ckan-solr -p 8983:8983 -d ghcr.io/keitaroinc/ckan-solr-dev:2.8
 
 echo "Initialising the database..."
 

diff --git a/ckanext/saml2auth/helpers.py b/ckanext/saml2auth/helpers.py
@@ -42,14 +42,15 @@ def update_user_sysadmin_status(username, email):
     user = model.User.by_name(text_type(username))
     sysadmin = authz.is_sysadmin(username)
 
-    if sysadmin and email not in sysadmins_list:
-        user.sysadmin = False
-        model.Session.add(user)
-        model.Session.commit()
-    elif not sysadmin and email in sysadmins_list:
-        user.sysadmin = True
-        model.Session.add(user)
-        model.Session.commit()
+    if sysadmins_list:
+        if sysadmin and email not in sysadmins_list:
+            user.sysadmin = False
+            model.Session.add(user)
+            model.Session.commit()
+        elif not sysadmin and email in sysadmins_list:
+            user.sysadmin = True
+            model.Session.add(user)
+            model.Session.commit()
 
 
 def activate_user_if_deleted(userobj):

diff --git a/ckanext/saml2auth/tests/test_helpers.py b/ckanext/saml2auth/tests/test_helpers.py
@@ -50,7 +50,8 @@ def test_01_update_user_sysadmin_status_make_sysadmin():
     assert is_sysadmin
 
 
-@helpers.change_config(u'ckanext.saml2auth.sysadmins_list', '')
+@helpers.change_config(u'ckanext.saml2auth.sysadmins_list',
+                       'differentuser@example.com')
 def test_02_update_user_sysadmin_status_remove_sysadmin_role():
 
     helpers.reset_db()

diff --git a/ckanext/saml2auth/views/saml2auth.py b/ckanext/saml2auth/views/saml2auth.py
@@ -93,8 +93,8 @@ def acs():
 
     g.user = user_dict['name']
 
-    # If user email is in given list of emails
-    # make that user sysadmin and opposite
+    # Check if the authenticated user email is in given list of emails
+    # and make that user sysadmin and opposite
     h.update_user_sysadmin_status(g.user, email)
 
     g.userobj = model.User.by_name(g.user)