diff --git a/passbook/lib/views.py b/passbook/lib/views.py index bb8dcde89..2ca27ce80 100644 --- a/passbook/lib/views.py +++ b/passbook/lib/views.py @@ -20,6 +20,5 @@ class CreateAssignPermView(CreateView): self.object._meta.app_label, self.object._meta.model_name, ) - print(full_permission) assign_perm(full_permission, self.request.user, self.object) return response diff --git a/passbook/providers/oidc/lib.py b/passbook/providers/oidc/lib.py index 0a4168102..9e1d685ae 100644 --- a/passbook/providers/oidc/lib.py +++ b/passbook/providers/oidc/lib.py @@ -1,21 +1,38 @@ """OIDC Permission checking""" +from typing import Optional + from django.contrib import messages +from django.http import HttpRequest, HttpResponse from django.shortcuts import redirect +from oidc_provider.models import Client from structlog import get_logger +from django.db.models.deletion import Collector from passbook.audit.models import Event, EventAction -from passbook.core.models import Application +from passbook.core.models import Application, User, Provider from passbook.policies.engine import PolicyEngine LOGGER = get_logger() -def check_permissions(request, user, client): +def check_permissions( + request: HttpRequest, user: User, client: Client +) -> Optional[HttpResponse]: """Check permissions, used for https://django-oidc-provider.readthedocs.io/en/latest/ sections/settings.html#oidc-after-userlogin-hook""" try: - application = client.openidprovider.application + # because oidc_provider is also used by app_gw, we can't be + # sure an OpenIDPRovider instance exists. hence we look through all related models + # and choose the one that inherits from Provider, which is guaranteed to + # have the application property + collector = Collector(using="default") + collector.collect([client]) + for _, related in collector.data.items(): + related_object = next(iter(related)) + if isinstance(related_object, Provider): + application = related.application + break except Application.DoesNotExist: return redirect("passbook_providers_oauth:oauth2-permission-denied") LOGGER.debug(