Stop revoking privileges

[avdata99]

If you manually promote a user as sysadmin this extension will revoke these privileges in the next login

User's email must be explicitly defined in the ckanext.saml2auth.sysadmins_list list
This may not be intuitive and could be interpreted as a bug.

Proposed solution

If ckanext.saml2auth.sysadmins_list is empty or not defined then we don't change any privileges at login time.

[adborden]

Some background:

For security compliance, we want to be able to manage user privileges in the database. At any point in time, we should be able to query CKAN for users and their authorization level. Having sysadmins in config, but organization admins in the database is confusing to auditors.

Also having the sysadmins in config means our audit log for sysadmin changes is different than the audit log for other privileged users.

[mbocevski]

This may not be intuitive and could be interpreted as a bug.

I agree, also in scenarios where local login is also enabled this is not ideal. I think that the approach should be if not set then we don't change any privilege at login time. If it's empty or has a list of email addresses then it should change privileges, empty being a valid choice i.e. no sysadmins.

[mbocevski]

@avdata99 @adborden you ok with #16 ?

[avdata99]

I agree with #16. it's simple and clear (but too complex to flak8 :) )
I can backport this to 2.8 @adborden if you agree.

[mbocevski]

but too complex to flak8

Yeah, that code does quite some. I'll move it to the helper instead.

[adborden]

Thanks, looks good.