add can_multi_saml_sso role (#7981)

* add can_multi_saml_sso role * update test * update
2025-10-22 03:16:34 +00:00 · 2025-06-26 17:58:12 +08:00
parent 0aec56f8ab
commit c33fcfed77
5 changed files with 24 additions and 6 deletions
--- a/seahub/auth/views.py
+++ b/seahub/auth/views.py
@@ -1,8 +1,6 @@
 # Copyright (c) 2012-2016 Seafile Ltd.
-import hashlib
 import logging
 import jwt
-from datetime import datetime
 from django.conf import settings
 # Avoid shadowing the login() view below.
 from django.views.decorators.csrf import csrf_protect
@@ -10,7 +8,7 @@ from django.urls import reverse
 from django.contrib import messages
 from django.shortcuts import render
 from django.contrib.sites.shortcuts import get_current_site
-from django.http import HttpResponseRedirect, Http404
+from django.http import HttpResponseRedirect

 from urllib.parse import quote
 from django.utils.http import base36_to_int, url_has_allowed_host_and_scheme
@@ -43,6 +41,7 @@ from seahub.utils.two_factor_auth import two_factor_auth_enabled, handle_two_fac
 from seahub.utils.user_permissions import get_user_role
 from seahub.utils.auth import get_login_bg_image_path
 from seahub.organizations.models import OrgSAMLConfig
+from seahub.organizations.utils import can_use_sso_in_multi_tenancy

 from constance import config

@@ -536,6 +535,11 @@ def multi_adfs_sso(request):
            if not org:
                render_data['error_msg'] = "Cannot find an ADFS/SAML config for the team related to domain %s." % domain
                return render(request, template_name, render_data)
+
+            if not can_use_sso_in_multi_tenancy(org_id):
+                render_data['error_msg'] = _(f"Team {domain} does not have permission to use ADFS/SAML SSO.")
+                return render(request, template_name, render_data)
+
        except Exception as e:
            logger.error(e)
            render_data['error_msg'] = 'Error, please contact administrator.'
--- a/seahub/organizations/utils.py
+++ b/seahub/organizations/utils.py
@@ -2,8 +2,12 @@
 from django.core.cache import cache
 from django.urls import reverse

+from seaserv import ccnet_api
+
 from seahub.invitations.models import Invitation
+from seahub.organizations.models import OrgSettings
 from seahub.utils import gen_token, get_service_url
+from seahub.role_permissions.utils import get_enabled_role_permissions_by_role


 def get_or_create_invitation_link(org_id):
@@ -50,3 +54,10 @@ def generate_org_reactivate_link(org_id):
    url = reverse('org_reactivate', args=[i.token])
    url = f'{service_url}{url}'
    return url
+
+
+def can_use_sso_in_multi_tenancy(org_id):
+    org = ccnet_api.get_org_by_id(org_id)
+    org_role = OrgSettings.objects.get_role_by_org(org)
+    perm_dict = get_enabled_role_permissions_by_role(org_role)
+    return perm_dict.get('can_use_sso_in_multi_tenancy', True)
--- a/seahub/organizations/views.py
+++ b/seahub/organizations/views.py
@@ -35,7 +35,8 @@ from seahub.organizations.settings import ORG_AUTO_URL_PREFIX, \
        ORG_MEMBER_QUOTA_ENABLED, ORG_ENABLE_ADMIN_INVITE_USER_VIA_WEIXIN, \
        ORG_ENABLE_ADMIN_CUSTOM_LOGO, ORG_ENABLE_ADMIN_CUSTOM_NAME, \
        ORG_ENABLE_ADMIN_INVITE_USER
-from seahub.organizations.utils import get_or_create_invitation_link
+from seahub.organizations.utils import get_or_create_invitation_link, \
+        can_use_sso_in_multi_tenancy
 from seahub.subscription.utils import subscription_check
 from seahub.billing.settings import ENABLE_EXTERNAL_BILLING_SERVICE
 from registration.models import RegistrationProfile
@@ -298,7 +299,7 @@ def react_fake_view(request, **kwargs):
        'org_enable_admin_invite_user': ORG_ENABLE_ADMIN_INVITE_USER,
        'group_id': group_id,
        'invitation_link': invitation_link,
-        'enable_multi_adfs': ENABLE_MULTI_ADFS,
+        'enable_multi_adfs': ENABLE_MULTI_ADFS and can_use_sso_in_multi_tenancy(org.org_id),
        'enable_subscription': subscription_check(),
        'enable_external_billing_service': ENABLE_EXTERNAL_BILLING_SERVICE,
        'sys_enable_user_clean_trash': config.ENABLE_USER_CLEAN_TRASH,
--- a/seahub/role_permissions/settings.py
+++ b/seahub/role_permissions/settings.py
@@ -51,6 +51,7 @@ DEFAULT_ENABLED_ROLE_PERMISSIONS = {
        'monthly_rate_limit_per_user': '',
        'can_choose_office_suite': True,
        'monthly_ai_credit_per_user': -1,
+        'can_use_sso_in_multi_tenancy': True,
    },
    GUEST_USER: {
        'can_add_repo': False,
@@ -77,6 +78,7 @@ DEFAULT_ENABLED_ROLE_PERMISSIONS = {
        'monthly_rate_limit': '',
        'monthly_rate_limit_per_user': '',
        'can_choose_office_suite': False,
+        'can_use_sso_in_multi_tenancy': False,
    },
 }

--- a/tests/seahub/role_permissions/test_utils.py
+++ b/tests/seahub/role_permissions/test_utils.py
@@ -11,4 +11,4 @@ class UtilsTest(BaseTestCase):
        assert DEFAULT_USER in get_available_roles()

    def test_get_enabled_role_permissions_by_role(self):
-        assert len(list(get_enabled_role_permissions_by_role(DEFAULT_USER).keys())) == 25
+        assert len(list(get_enabled_role_permissions_by_role(DEFAULT_USER).keys())) == 26