Always request membership of the signed_fpca group

Signed-off-by: Aurélien Bompard <[email protected]>
fedora-infra · Nov 25, 2020 · 37dd3de · 37dd3de
1 parent 1747536
commit 37dd3de
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/NEWS b/NEWS
@@ -5,6 +5,15 @@ NEWS
 :Authors: Toshio Kuratomi, Luke Macken, Ricky Elrod, Patrick Uiterwijk, Ralph Bean
 :Version: 1.1.0
 
+------
+1.1.1
+------
+
+Bugfixes:
+
+* Membership of the "signed_fpca" group was not always requested.
+
+
 ------
 1.1.0
 ------

diff --git a/flask_fas_openid.py b/flask_fas_openid.py
@@ -265,6 +265,11 @@ def login(self, username=None, password=None, return_url=None,
 
         if isinstance(groups, six.string_types):
             groups = [groups]
+        # In the new AAA system, we know a user has signed the FPCA by looking
+        # a group membership. We must therefore always request the
+        # corresponding group.
+        if "_FAS_ALL_GROUPS_" not in groups:
+            groups.append("signed_fpca")
 
         request.addExtension(sreg.SRegRequest(
             required=['nickname', 'fullname', 'email', 'timezone']))