Skip to content

Commit

Permalink
If in LDAP mode, users not being assign a default role at login (#8708)
Browse files Browse the repository at this point in the history
Currently if using LDAP auth IAM_TYPE, a user might have access to the
application to login but no role is assigned to the user. This creates
confusion to users as they are not able to perform any actions in CVAT
even though they can login.

In comparison, this behaviour is not encountered if using the BASIC auth
IAM_TYPE, as the `IAM_DEFAULT_ROLE`, is assigned to the user when logs
in for the first time.

To explain a bit further the flow that we encountered, maintainers of an
organization use the email service to invite users to their org, then
users click on the email link, login to the application and accept the
invite to the organization. Even though they might be even `maintainers`
in the organization they cannot perform any action as the rego rules for
organization need users to at least have the "worker" role in the
application. The same goes for sending invitation to the organization if
they have been made `mantainers`. Here the links to the rego files:

-
https://github.com/cvat-ai/cvat/blob/develop/cvat/apps/organizations/rules/organizations.rego
-
https://github.com/cvat-ai/cvat/blob/develop/cvat/apps/organizations/rules/invitations.rego

### How has this been tested?
Yes, I have a local deployment with LDAP enabled. WIth these changes, if
I log in then I get assigned the default role and I can perform actions
in the application.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Enhanced LDAP user management by refining group assignment logic,
ensuring default roles are only assigned to non-superuser and non-staff
users.

- **Bug Fixes**
- Improved control flow for user group assignments to prevent
unnecessary role assignments for elevated privilege users.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Rodrigo Agundez <rodrigo.agundez@dyson.com>
Co-authored-by: Maria Khrustaleva <maria@cvat.ai>
  • Loading branch information
3 people authored Nov 25, 2024
1 parent d79e056 commit e97ace2
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
3 changes: 3 additions & 0 deletions changelog.d/20241125_193231_rragundez_ldap_default_role.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
### Added

- A default role if IAM_TYPE='LDAP' and if the user is not a member of any group in 'DJANGO_AUTH_LDAP_GROUPS' (<https://github.com/cvat-ai/cvat/pull/8708>)
3 changes: 3 additions & 0 deletions cvat/apps/iam/signals.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ def create_user(sender, user=None, ldap_user=None, **kwargs):
if role == settings.IAM_ADMIN_ROLE:
user.is_staff = user.is_superuser = True
break
# add default group if no other group has been assigned
if not len(user_groups):
user_groups.append(Group.objects.get(name=settings.IAM_DEFAULT_ROLE))

# It is important to save the user before adding groups. Please read
# https://django-auth-ldap.readthedocs.io/en/latest/users.html#populating-users
Expand Down

0 comments on commit e97ace2

Please sign in to comment.