Respect User.is_active when logging in with SAML SSO.

 






 

 


  Review Request #14331
  —
  Created Feb. 6, 2025 and submitted  — Latest diff uploaded 

 


















 

  

   Information

  





 
 

  david
 









 
 

  Review Board
 









 
 

  release-6.x
 









 
 

  
 









 
 

  
 






 




 

  

   Reviewers

  





 
 

  reviewboard
 









 
 

  
 






 








 





  


 
 

  
When we built the SSO support, we made the assumption that all user

management would happen on the IdP side. We've had a report of a user

that wants to connect their IdP generally, but selectively mark users as

active or not on the Review Board side.


This change makes it so the SAML ACS and link-user views check the

is_active flag. In the link-user flow, we rely on the authentication

view/form to show the same error that someone would get if they were

logging in with a username and password. In the ACS flow, we just

redirect to a permission denied page.


While writing tests for this, things were getting a little unwieldy, so

I split up the SAML view tests into separate classes.

 








  


 
 

  
    

  • Set my user account to inactive and tried to log in with SAML. Saw
    
  that things worked as expected.
    • 

  • Ran unit tests.
    • 


 







 









 





  








 




 







   

    
    
Diff Revision 3 (Latest)



    

 

 

 

 
orig
1
2
3

 



    


    

      
Commits

      

 

 

  
   First
   Last
  
  Summary
  ID
  Author
 



 
  
   
  
  
   
  
 
 
  
   
    

     Respect User.is_active when logging in with SAML SSO.
     
When we built the SSO support, we made the assumption that all user
management would happen on the IdP side. We've had a report of a user
that wants to connect their IdP generally, but selectively mark users as
active or not on the Review Board side.

This change makes it so the SAML ACS and link-user views check the
`is_active` flag. In the link-user flow, we rely on the authentication
view/form to show the same error that someone would get if they were
logging in with a username and password. In the ACS flow, we just
redirect to a permission denied page.

While writing tests for this, things were getting a little unwieldy, so
I split up the SAML view tests into separate classes.

Testing Done:
- Set my user account to inactive and tried to log in with SAML. Saw
  that things worked as expected.
- Ran unit tests.

    

   
  		
  b39328342a3e5456f66b3ed0b2ba8e3a3e3bef41
  David Trowbridge
 




    


    
    

   

  

 









 

  

   
    

     
      
      reviewboard/accounts/errors.py
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/accounts/sso/backends/base.py
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/accounts/sso/backends/saml/forms.py
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/accounts/sso/backends/saml/sso_backend.py
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/accounts/sso/backends/saml/views.py
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/accounts/tests/test_saml_forms.py
     
    

   
  

 



 

  

   
    

     
      
      reviewboard/accounts/tests/test_saml_views.py
     
    

   
  

 










     

    

   

  

  

   
   Loading...