Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix create document for user when sub does not match but email does #543

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

sampaccoud
Copy link
Member

@sampaccoud sampaccoud commented Jan 10, 2025

Purpose

When creating a document on behalf of a user via the server-to-server API, a special edge case was broken that should never happen but happens in our OIDC federation because one of the provider modifies the users "sub" each time they login.

We ended-up with existing users for who the email matches but not the sub. They were not correctly handled.

Proposal

Get the user by its email like we do during authentication if activated in settings.

Made a few additional fixes and improvements to the endpoint.

When creating a document on behalf of a user via the server-to-server
API, a special edge case was broken that should should never happen
but happens in our OIDC federation because one of the provider modifies
the users "sub" each time they login.

We end-up with existing users for who the email matches but not the sub.
They were not correctly handled.

I made a few additional fixes and improvements to the endpoint.
We have changed the project's name from "impress" to "docs" but haven't
replace all occurrences of impress in the project because we want to be
careful of the consequences on deployments.

The name of the docker compose project was different for the pyling make
target which was causing this bug. Let's rename if without waiting.
@sampaccoud sampaccoud self-assigned this Jan 10, 2025
@sampaccoud sampaccoud added bug Something isn't working backend urgent labels Jan 10, 2025
email = validated_data["email"]
user = models.User.objects.filter(email=email).first()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

user could be null actually here, so the creator could be null when you create the document, isn't it ?

Copy link
Member Author

@sampaccoud sampaccoud Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep. This is being handled here: https://github.com/suitenumerique/docs/blob/main/src/backend/core/models.py#L245

When the creator is null it will be filled-in when the invitation completes...

Copy link
Collaborator

@lebaudantoine lebaudantoine Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question on my side, why not calling :

User.objects.get(email__iexact=email)

As here, and handle it if errors occur

Copy link
Collaborator

@qbey qbey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch :)

Comment on lines -282 to +288
raise exceptions.APIException(detail="could not convert content") from err
raise serializers.ValidationError(
{"content": ["Could not convert content"]}
) from err
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backend bug Something isn't working urgent
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants