From 3ecd62a9ad9aa7699ced5fd7e25a19a274fa10d1 Mon Sep 17 00:00:00 2001
From: Ernesto Rico Schmidt <ernesto@helsinki.at>
Date: Sun, 19 Nov 2023 18:03:07 -0400
Subject: [PATCH] feat: add settings for filtering the active shows and OIDC
Provider Scope, Update Scope Claims
the Show IDs are now listed and filtered according to the settings
BREAKING CHANGE:
Closes: #179
---
steering/oidc_provider_settings.py | 42 +++++++++++++++++++++---------
steering/settings.py | 15 +++++++++++
2 files changed, 44 insertions(+), 13 deletions(-)
diff --git a/steering/oidc_provider_settings.py b/steering/oidc_provider_settings.py
index 400fe29b..1724b2b1 100644
--- a/steering/oidc_provider_settings.py
+++ b/steering/oidc_provider_settings.py
@@ -20,7 +20,10 @@
from oidc_provider.lib.claims import ScopeClaims
+from django.conf import settings
+from django.utils import timezone
from django.utils.translation import gettext as _
+from program.models import Show
class AuraScopeClaims(ScopeClaims):
@@ -30,27 +33,40 @@ class AuraScopeClaims(ScopeClaims):
)
def scope_username(self):
- dic = {
+ return {
"username": self.user.username,
- # 'privileged': (self.user.is_staff or self.user.is_superuser)
- "privileged": self.user.is_superuser,
+ "privileged": self.user.is_superuser
+ or settings.PRIVILEGED_GROUP in self.user.groups.values_list("name", flat=True),
+ "entitled": any(
+ [
+ name in settings.ENTITLED_GROUPS
+ for name in self.user.groups.values_list("name", flat=True)
+ ]
+ ),
}
- return dic
-
info_aura_shows = (
_("AURA Shows"),
_("AURA shows you have access to."),
)
def scope_aura_shows(self):
- from program.models import Show
+ # we use annotated objects because filtering using properties is not possible
+ owned_shows = Show.objects.with_max_timeslot_start().filter(owners=self.user)
+ public_shows = Show.objects.with_max_timeslot_start().filter(is_public=True)
+
+ if settings.FILTER_ACTIVE_SHOWS_USING["is_active"]:
+ # use the `is_active` field
+ owned_shows = owned_shows.filter(is_active=True)
+ public_shows = public_shows.filter(is_active=True)
- # TODO: should add filter `is_active=True` ?
- public_show_slugs = list(
- Show.objects.filter(is_public=True).values_list("slug", flat=True)
- )
- show_slugs = list(self.user.shows.all().values_list("slug", flat=True))
- dic = {"shows": show_slugs, "public-shows": public_show_slugs}
+ if settings.FILTER_ACTIVE_SHOWS_USING["max_timeslot_start"]:
+ # use the `max_timeslot_start` annotation
+ now = timezone.datetime.now()
+ owned_shows = owned_shows.filter(max_timeslot_start__gt=now)
+ public_shows = public_shows.filter(max_timeslot_start__gt=now)
- return dic
+ return {
+ "ownedShowIds": list(owned_shows.values_list("id", flat=True)),
+ "publicShowIds": list(public_shows.values_list("id", flat=True)),
+ }
diff --git a/steering/settings.py b/steering/settings.py
index b64fc042..86b702c6 100644
--- a/steering/settings.py
+++ b/steering/settings.py
@@ -160,6 +160,21 @@ CBA_REST_API_URL = CBA_URL + "/wp-json/wp/v2/"
LOGIN_URL = "/admin/login/" # Login page OIDC redirects to
OIDC_EXTRA_SCOPE_CLAIMS = "steering.oidc_provider_settings.AuraScopeClaims"
+# OIDC Provider extra scope claims
+# - Superusers and members of these group are privileged
+PRIVILEGED_GROUP = "Program"
+# - Members of these groups are entitled
+ENTITLED_GROUPS = ["Broadcast", "Broadcast+"] # this needs to be a list
+
+# The API will filter the active shows using one of these filters
+# One of these should to be True.
+# - if both are True, shows will be filtered using the field AND the annotation
+# - if both are False, shows will NOT be filtered
+FILTER_ACTIVE_SHOWS_USING = {
+ "is_active": False, # shows will be filtered using this field
+ "max_timeslot_start": True, # shows will be filtered using this annotation
+}
+
# WSGI_APPLICATION = 'steering.wsgi.application';
if os.getenv("USE_LDAP_AUTH"):
--
GitLab