Set Django staff status from superuser status

rajivsinclair · Jul 19, 2020 · 8d03156 · 8d03156
1 parent 0d84f5e
commit 8d03156
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 6 deletions.
diff --git a/app/server/social_auth.py b/app/server/social_auth.py
@@ -75,7 +75,7 @@ def fetch_azuread_permissions(strategy, details, user=None, is_new=False, *args,
 # noinspection PyUnusedLocal
 def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
     org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OAUTH2_API_URL', '')
-    group_name = getattr(settings, "OKTA_OAUTH2_ADMIN_GROUP_NAME", "")
+    admin_group_name = getattr(settings, "OKTA_OAUTH2_ADMIN_GROUP_NAME", "")
     if not user or not isinstance(kwargs['backend'], OktaOAuth2):
         return
 
@@ -88,17 +88,22 @@ def fetch_okta_oauth2_permissions(strategy, details, user=None, is_new=False, *a
     response.raise_for_status()
     response = response.json()
 
-    is_superuser = group_name in response.get("groups", [])
+    is_superuser = admin_group_name in response.get("groups", [])
+    is_staff = admin_group_name in response.get("groups", [])
 
     if user.is_superuser != is_superuser:
         user.is_superuser = is_superuser
         user.save()
 
+    if user.is_staff != is_staff:
+        user.is_staff = is_staff
+        user.save()
+
 
 # noinspection PyUnusedLocal
 def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=False, *args, **kwargs):
     org_url = getattr(settings, 'SOCIAL_AUTH_OKTA_OPENIDCONNECT_API_URL', '')
-    group_name = getattr(settings, "OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME", "")
+    admin_group_name = getattr(settings, "OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME", "")
     if not user or not isinstance(kwargs['backend'], OktaOpenIdConnect):
         return
 
@@ -111,8 +116,13 @@ def fetch_okta_openidconnect_permissions(strategy, details, user=None, is_new=Fa
     response.raise_for_status()
     response = response.json()
 
-    is_superuser = group_name in response.get("groups", [])
+    is_superuser = admin_group_name in response.get("groups", [])
+    is_staff = admin_group_name in response.get("groups", [])
 
     if user.is_superuser != is_superuser:
         user.is_superuser = is_superuser
         user.save()
+
+    if user.is_staff != is_staff:
+        user.is_staff = is_staff
+        user.save()
diff --git a/docs/advanced/oauth2_settings.md b/docs/advanced/oauth2_settings.md
@@ -57,7 +57,7 @@ In the app settings, please set the redirect URI to `{DOCCANO_URL}/social/comple
 Okta Application setup:
 ![image](../images/oauth/okta_oauth_app.png)
 
-Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OAUTH2_ADMIN_GROUP_NAME`.
+Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. This will also assign the users the staff role, allowing them to access the Django admin page and app. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OAUTH2_ADMIN_GROUP_NAME`.
 
 ```bash
 export OKTA_OAUTH2_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME
@@ -75,7 +75,7 @@ export OAUTH_OKTA_OPENIDCONNECT_API_URL=YOUR_BASE_URL
 
 In the app settings, please set the redirect URI to your app domain `/social/complete/okta-openidconnect/`. For example, if you are serving Doccano at `https://example.com`, the redirect URI should be `https://example.com/social/complete/okta-openidconnect/`. If using a local installation being served at port 8000, set the redirect URI to `http://127.0.0.1:8000/social/complete/okta-openidconnect/`.
 
-Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME`.
+Optionally, if you want to assign Doccano super users from Okta users, you can use Okta groups to assign them the policy. This will also assign the users the staff role, allowing them to access the Django admin page and app. Ensure your Okta [authorization server can serve `groups` claims](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/add-groups-claim-org-as/) and set the environment variable `OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME`.
 
 ```bash
 export OKTA_OPENIDCONNECT_ADMIN_GROUP_NAME=SUPERUSER_OKTA_GROUP_NAME