From de830a6154cd47be1e3b0a3247e718b4564865a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=AC=A2=E4=B9=90=E9=A9=AC?=
 <38058090+SkywalkerSpace@users.noreply.github.com>
Date: Thu, 31 Oct 2024 17:25:28 +0800
Subject: [PATCH] USE_LDAP_SYNC_ONLY (#6977)

---
 seahub/api2/serializers.py | 4 ++--
 seahub/auth/forms.py       | 2 +-
 seahub/settings.py         | 1 +
 seahub/views/sysadmin.py   | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/seahub/api2/serializers.py b/seahub/api2/serializers.py
index a729b0e7d2..024698d5d8 100644
--- a/seahub/api2/serializers.py
+++ b/seahub/api2/serializers.py
@@ -14,7 +14,7 @@ from seahub.two_factor.models import default_device
 from seahub.two_factor.views.login import is_device_remembered
 from seahub.utils.two_factor_auth import has_two_factor_auth, \
         two_factor_auth_enabled, verify_two_factor_token
-from seahub.settings import ENABLE_LDAP
+from seahub.settings import ENABLE_LDAP, USE_LDAP_SYNC_ONLY
 from constance import config
 
 logger = logging.getLogger(__name__)
@@ -92,7 +92,7 @@ class AuthTokenSerializer(serializers.Serializer):
                 # convert login id or contact email to username if any
                 user = authenticate(username=username, password=password)
                 # After local user authentication process is completed, authenticate LDAP user
-                if user is None and ENABLE_LDAP:
+                if user is None and ENABLE_LDAP and not USE_LDAP_SYNC_ONLY:
                     user = authenticate(ldap_user=username, password=password)
 
                 if user is None:
diff --git a/seahub/auth/forms.py b/seahub/auth/forms.py
index 91608226b4..99d51526d6 100644
--- a/seahub/auth/forms.py
+++ b/seahub/auth/forms.py
@@ -71,7 +71,7 @@ class AuthenticationForm(forms.Form):
                 username = Profile.objects.convert_login_str_to_username(username)
                 self.user_cache = authenticate(username=username, password=password)
                 # After local user authentication process is completed, authenticate LDAP user
-                if self.user_cache is None and settings.ENABLE_LDAP:
+                if self.user_cache is None and settings.ENABLE_LDAP and not settings.USE_LDAP_SYNC_ONLY:
                     self.user_cache = authenticate(ldap_user=username, password=password)
 
                 if self.user_cache is None:
diff --git a/seahub/settings.py b/seahub/settings.py
index 61235f06dc..1b3e9a0fa5 100644
--- a/seahub/settings.py
+++ b/seahub/settings.py
@@ -335,6 +335,7 @@ LDAP_USER_ROLE_ATTR = ''
 ACTIVATE_USER_WHEN_IMPORT = True
 
 SSO_LDAP_USE_SAME_UID = False
+USE_LDAP_SYNC_ONLY = False
 
 # enable ldap sasl auth
 ENABLE_SASL = False
diff --git a/seahub/views/sysadmin.py b/seahub/views/sysadmin.py
index 8ba0a965f5..ea17c00e4f 100644
--- a/seahub/views/sysadmin.py
+++ b/seahub/views/sysadmin.py
@@ -816,7 +816,7 @@ def sys_sudo_mode(request):
         if password:
             user = authenticate(username=username, password=password)
             # After local user authentication process is completed, authenticate LDAP user
-            if user is None and settings.ENABLE_LDAP:
+            if user is None and settings.ENABLE_LDAP and not settings.USE_LDAP_SYNC_ONLY:
                 user = authenticate(ldap_user=username, password=password)
             if user:
                 update_sudo_mode_ts(request)