richard
/
doccano
mirror of https://github.com/doccano/doccano.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Set Django staff status from superuser status

pull/675/head
Setu Shah 4 years ago
parent
0d84f5e67f
commit
8d0315667c
2 changed files with 16 additions and 6 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 18
      app/server/social_auth.py
  2. 4
      docs/advanced/oauth2_settings.md

18
app/server/social_auth.py
View File

@ -75,7 +75,7 @@ def fetch_azuread_permissions(strategy, details, user=None, is_new=False, *args,
# noinspection PyUnusedLocal # noinspection PyUnusedLocal
def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *args, **kwargs): def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OAUTH2_API_URL', '') org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OAUTH2_API_URL', '')
group_name = getattr(settings, "OKTA_OAUTH2_ADMIN_GROUP_NAME", "")
admin_group_name = getattr(settings, "OKTA_OAUTH2_ADMIN_GROUP_NAME", "")
if not user or not isinstance(kwargs['backend'], OktaOAuth2): if not user or not isinstance(kwargs['backend'], OktaOAuth2):
return return
@ -88,17 +88,22 @@ def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *a
response.raise_for_status() response.raise_for_status()
response = response.json() response = response.json()
is_superuser = group_name in response.get("groups", [])
is_superuser = admin_group_name in response.get("groups", [])
is_staff = admin_group_name in response.get("groups", [])
if user.is_superuser != is_superuser: if user.is_superuser != is_superuser:
user.is_superuser = is_superuser user.is_superuser = is_superuser
user.save() user.save()
if user.is_staff != is_staff:
user.is_staff = is_staff
user.save()
# noinspection PyUnusedLocal # noinspection PyUnusedLocal
def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=False, *args, **kwargs): def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL', '') org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL', '')
group_name = getattr(settings, "OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME", "")
admin_group_name = getattr(settings, "OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME", "")
if not user or not isinstance(kwargs['backend'], OktaOpenIdConnect): if not user or not isinstance(kwargs['backend'], OktaOpenIdConnect):
return return
@ -111,8 +116,13 @@ def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=Fa
response.raise_for_status() response.raise_for_status()
response = response.json() response = response.json()
is_superuser = group_name in response.get("groups", [])
is_superuser = admin_group_name in response.get("groups", [])
is_staff = admin_group_name in response.get("groups", [])
if user.is_superuser != is_superuser: if user.is_superuser != is_superuser:
user.is_superuser = is_superuser user.is_superuser = is_superuser
user.save() user.save()
if user.is_staff != is_staff:
user.is_staff = is_staff
user.save()

4
docs/advanced/oauth2_settings.md
View File

@ -57,7 +57,7 @@ In the app settings, please set the redirect URI to `{DOCCANO_URL}/social/comple
Okta Application setup: Okta Application setup:
![image](../images/oauth/okta_oauth_app.png) ![image](../images/oauth/okta_oauth_app.png)
Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OAUTH2_ADMIN_GROUP_NAME`.
Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. This will also assign the users the staff role, allowing them to access the Django admin page and app. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OAUTH2_ADMIN_GROUP_NAME`.
```bash ```bash
export OKTA_OAUTH2_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME export OKTA_OAUTH2_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME
@ -75,7 +75,7 @@ export OAUTH_OKTA_OPENIDCONNECT_API_URL=YOUR_BASE_URL
In the app settings, please set the redirect URI to your app domain `/social/complete/okta-openidconnect/`. For example, if you are serving Doccano at `https://example.com`, the redirect URI should be `https://example.com/social/complete/okta-openidconnect/`. If using a local installation being served at port 8000, set the redirect URI to `http://127.0.0.1:8000/social/complete/okta-openidconnect/`. In the app settings, please set the redirect URI to your app domain `/social/complete/okta-openidconnect/`. For example, if you are serving Doccano at `https://example.com`, the redirect URI should be `https://example.com/social/complete/okta-openidconnect/`. If using a local installation being served at port 8000, set the redirect URI to `http://127.0.0.1:8000/social/complete/okta-openidconnect/`.
Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME`.
Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. This will also assign the users the staff role, allowing them to access the Django admin page and app. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME`.
```bash ```bash
export OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME export OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME

Write Preview
Loading…
Cancel
Save