diff --git a/odp/identity/lib.py b/odp/identity/lib.py index 9ff7b2f..7c750e4 100644 --- a/odp/identity/lib.py +++ b/odp/identity/lib.py @@ -5,8 +5,10 @@ from sqlalchemy import select from odp.const import ODPSystemRole, SAEON_EMAIL_DOMAINS +from sadco.const import SADCORole from odp.const.db import IdentityCommand from odp.db import Session +from odp.config import config from odp.db.models import Client, IdentityAudit, User, UserRole from odp.lib import exceptions as x @@ -76,6 +78,8 @@ def validate_user_login( if not user.verified: raise x.ODPEmailNotVerified + assign_sadco_role(client_id, user.id) + _create_audit_record(client_id, IdentityCommand.login, True, user_id=user.id) return user.id @@ -118,6 +122,8 @@ def validate_auto_login( if not user.verified: raise x.ODPEmailNotVerified + assign_sadco_role(client_id, user.id) + _create_audit_record(client_id, IdentityCommand.login, True, user_id=user_id) except x.ODPIdentityError as e: @@ -275,6 +281,8 @@ def create_user_account( ) user.save() + assign_sadco_role(client_id, user.id) + assign_default_role(user.id) _create_audit_record(client_id, IdentityCommand.signup, True, email=email) @@ -300,6 +308,19 @@ def assign_default_role(user_id): user_role.save() +def assign_sadco_role(client_id, user_id): + """ + Assign the SADCO role if the user has come from the SADCO client and does not have the role already. + """ + if client_id != config.ODP.IDENTITY.SADCO_CLIENT_ID: + return + + if (not Session.get(UserRole, (user_id, SADCORole.SADCO_USER)) and not Session.get(UserRole, ( + user_id, SADCORole.SADCO_ADMIN))): + user_role = UserRole(user_id=user_id, role_id=SADCORole.SADCO_USER) + user_role.save() + + def update_user_verified(user_id, verified): """ Update the verified status of a user. @@ -394,6 +415,8 @@ def validate_google_login( if not user.active: raise x.ODPAccountDisabled + assign_sadco_role(client_id, user.id) + _create_audit_record(client_id, IdentityCommand.login, True, user_id=user.id) return user.id