diff --git a/zerver/tests/test_auth_backends.py b/zerver/tests/test_auth_backends.py index 3519c7809a..47c98b0b9e 100644 --- a/zerver/tests/test_auth_backends.py +++ b/zerver/tests/test_auth_backends.py @@ -996,6 +996,38 @@ class SocialAuthBase(ZulipTestCase): self.stage_two_of_registration(result, realm, subdomain, email, name, name, skip_registration_form=self.BACKEND_CLASS.full_name_validated) + @override_settings(TERMS_OF_SERVICE=None) + def test_social_auth_with_ldap_auth_registration_from_confirmation(self) -> None: + """ + This test checks that in configurations that use the ldap authentication backend + and a social backend, it is possible to create non-ldap users via the social backend. + """ + self.init_default_ldap_database() + email = self.nonreg_email("alice") + name = "Alice Social" + realm = get_realm("zulip") + subdomain = "zulip" + ldap_user_attr_map = {'full_name': 'cn'} + account_data_dict = self.get_account_data_dict(email=email, name=name) + + backend_path = 'zproject.backends.{}'.format(self.BACKEND_CLASS.__name__) + with self.settings( + POPULATE_PROFILE_VIA_LDAP=True, + LDAP_EMAIL_ATTR='mail', + AUTH_LDAP_USER_ATTR_MAP=ldap_user_attr_map, + AUTHENTICATION_BACKENDS=(backend_path, + 'zproject.backends.ZulipLDAPAuthBackend', + 'zproject.backends.ZulipDummyBackend') + ): + account_data_dict = self.get_account_data_dict(email=email, name=name) + result = self.social_auth_test(account_data_dict, + expect_choose_email_screen=True, + subdomain=subdomain, is_signup='1') + # Full name should get populated as provided by the social backend, because + # this user isn't in the ldap dictionary: + self.stage_two_of_registration(result, realm, subdomain, email, name, name, + skip_registration_form=self.BACKEND_CLASS.full_name_validated) + def test_social_auth_complete(self) -> None: with mock.patch('social_core.backends.oauth.BaseOAuth2.process_error', side_effect=AuthFailed('Not found')): diff --git a/zerver/views/registration.py b/zerver/views/registration.py index 47817ec6ba..dee9393ce2 100644 --- a/zerver/views/registration.py +++ b/zerver/views/registration.py @@ -35,7 +35,7 @@ from zerver.views.auth import create_preregistration_user, redirect_and_log_into from zproject.backends import ldap_auth_enabled, password_auth_enabled, \ ZulipLDAPExceptionNoMatchingLDAPUser, email_auth_enabled, ZulipLDAPAuthBackend, \ - email_belongs_to_ldap + email_belongs_to_ldap, any_social_backend_enabled from confirmation.models import Confirmation, RealmCreationKey, ConfirmationKeyException, \ validate_key, create_confirmation_link, get_object_from_key, \ @@ -280,24 +280,20 @@ def accounts_register(request: HttpRequest) -> HttpResponse: prereg_user=prereg_user, return_data=return_data) if user_profile is None: - can_use_different_backend = email_auth_enabled(realm) + can_use_different_backend = email_auth_enabled(realm) or any_social_backend_enabled(realm) if settings.LDAP_APPEND_DOMAIN: # In LDAP_APPEND_DOMAIN configurations, we don't allow making a non-ldap account # if the email matches the ldap domain. can_use_different_backend = can_use_different_backend and ( not email_belongs_to_ldap(realm, email)) if return_data.get("no_matching_ldap_user") and can_use_different_backend: - # If both the LDAP and Email auth backends are + # If both the LDAP and Email or Social auth backends are # enabled, and there's no matching user in the LDAP # directory then the intent is to create a user in the # realm with their email outside the LDAP organization # (with e.g. a password stored in the Zulip database, # not LDAP). So we fall through and create the new # account. - # - # It's likely that we can extend this block to the - # Google and GitHub auth backends with no code changes - # other than here. pass else: # TODO: This probably isn't going to give a