diff --git a/rhodecode/authentication/base.py b/rhodecode/authentication/base.py --- a/rhodecode/authentication/base.py +++ b/rhodecode/authentication/base.py @@ -77,7 +77,6 @@ class hybrid_property(object): self.fdel(instance) - class LazyFormencode(object): def __init__(self, formencode_obj, *args, **kwargs): self.formencode_obj = formencode_obj @@ -106,6 +105,8 @@ class RhodeCodeAuthPluginBase(object): "lastname": "last name", "email": "email address", "groups": '["list", "of", "groups"]', + "user_group_sync": + 'True|False defines if returned user groups should be synced', "extern_name": "name in external source of record", "extern_type": "type of external source of record", "admin": 'True|False defines if user should be RhodeCode super admin', @@ -114,6 +115,7 @@ class RhodeCodeAuthPluginBase(object): "active_from_extern": "True|False\None, active state from the external auth, " "None means use definition from RhodeCode extern_type active value" + } # set on authenticate() method and via set_auth_type func. auth_type = None @@ -412,8 +414,9 @@ class RhodeCodeAuthPluginBase(object): new_hash = auth.get('_hash_migrate') if new_hash: self._migrate_hash_to_bcrypt(username, passwd, new_hash) + if 'user_group_sync' not in auth: + auth['user_group_sync'] = False return self._validate_auth_return(auth) - return auth def _migrate_hash_to_bcrypt(self, username, password, new_hash): @@ -538,16 +541,19 @@ class RhodeCodeExternalAuthPlugin(RhodeC # enforce user is just in given groups, all of them has to be ones # created from plugins. We store this info in _group_data JSON # field - try: - groups = auth['groups'] or [] - log.debug( - 'Performing user_group sync based on set `%s` ' - 'returned by this plugin', groups) - UserGroupModel().enforce_groups(user, groups, self.name) - except Exception: - # for any reason group syncing fails, we should - # proceed with login - log.error(traceback.format_exc()) + + if auth['user_group_sync']: + try: + groups = auth['groups'] or [] + log.debug( + 'Performing user_group sync based on set `%s` ' + 'returned by `%s` plugin', groups, self.name) + UserGroupModel().enforce_groups(user, groups, self.name) + except Exception: + # for any reason group syncing fails, we should + # proceed with login + log.error(traceback.format_exc()) + Session().commit() return auth @@ -671,7 +677,7 @@ def authenticate(username, password, env environ=environ or {}) if plugin_cache_active: - log.debug('Trying to fetch cached auth by %s', _password_hash[:6]) + log.debug('Trying to fetch cached auth by `...%s`', _password_hash[:6]) plugin_user = cache_manager.get( _password_hash, createfunc=auth_func) else: diff --git a/rhodecode/authentication/plugins/auth_crowd.py b/rhodecode/authentication/plugins/auth_crowd.py --- a/rhodecode/authentication/plugins/auth_crowd.py +++ b/rhodecode/authentication/plugins/auth_crowd.py @@ -267,6 +267,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter 'firstname': crowd_user["first-name"] or firstname, 'lastname': crowd_user["last-name"] or lastname, 'groups': crowd_user["groups"], + 'user_group_sync': True, 'email': crowd_user["email"] or email, 'admin': admin, 'active': active, diff --git a/rhodecode/authentication/plugins/auth_headers.py b/rhodecode/authentication/plugins/auth_headers.py --- a/rhodecode/authentication/plugins/auth_headers.py +++ b/rhodecode/authentication/plugins/auth_headers.py @@ -212,6 +212,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter 'firstname': safe_unicode(firstname or username), 'lastname': safe_unicode(lastname or ''), 'groups': [], + 'user_group_sync': False, 'email': email or '', 'admin': admin or False, 'active': active, diff --git a/rhodecode/authentication/plugins/auth_jasig_cas.py b/rhodecode/authentication/plugins/auth_jasig_cas.py --- a/rhodecode/authentication/plugins/auth_jasig_cas.py +++ b/rhodecode/authentication/plugins/auth_jasig_cas.py @@ -154,6 +154,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter 'firstname': safe_unicode(firstname or username), 'lastname': safe_unicode(lastname or ''), 'groups': [], + 'user_group_sync': False, 'email': email or '', 'admin': admin or False, 'active': active, diff --git a/rhodecode/authentication/plugins/auth_ldap.py b/rhodecode/authentication/plugins/auth_ldap.py --- a/rhodecode/authentication/plugins/auth_ldap.py +++ b/rhodecode/authentication/plugins/auth_ldap.py @@ -460,6 +460,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter 'lastname': safe_unicode( get_ldap_attr('attr_lastname') or lastname), 'groups': groups, + 'user_group_sync': False, 'email': get_ldap_attr('attr_email') or email, 'admin': admin, 'active': active, diff --git a/rhodecode/authentication/plugins/auth_pam.py b/rhodecode/authentication/plugins/auth_pam.py --- a/rhodecode/authentication/plugins/auth_pam.py +++ b/rhodecode/authentication/plugins/auth_pam.py @@ -136,6 +136,7 @@ class RhodeCodeAuthPlugin(RhodeCodeExter 'lastname': lastname, 'groups': [g.gr_name for g in grp.getgrall() if username in g.gr_mem], + 'user_group_sync': True, 'email': email, 'admin': admin, 'active': active, diff --git a/rhodecode/authentication/plugins/auth_rhodecode.py b/rhodecode/authentication/plugins/auth_rhodecode.py --- a/rhodecode/authentication/plugins/auth_rhodecode.py +++ b/rhodecode/authentication/plugins/auth_rhodecode.py @@ -100,6 +100,7 @@ class RhodeCodeAuthPlugin(RhodeCodeAuthP "firstname": userobj.firstname, "lastname": userobj.lastname, "groups": [], + 'user_group_sync': False, "email": userobj.email, "admin": userobj.admin, "active": userobj.active, diff --git a/rhodecode/authentication/plugins/auth_token.py b/rhodecode/authentication/plugins/auth_token.py --- a/rhodecode/authentication/plugins/auth_token.py +++ b/rhodecode/authentication/plugins/auth_token.py @@ -111,6 +111,7 @@ class RhodeCodeAuthPlugin(RhodeCodeAuthP "firstname": userobj.firstname, "lastname": userobj.lastname, "groups": [], + 'user_group_sync': False, "email": userobj.email, "admin": userobj.admin, "active": userobj.active,