utils: add invenio_saml-compatible account-setup

tu-graz-library · Mar 13, 2024 · 32ae783 · 32ae783
1 parent d4df756
commit 32ae783
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/invenio_config_tugraz/utils.py b/invenio_config_tugraz/utils.py
@@ -30,3 +30,20 @@ def get_identity_from_user_by_email(email: str = None) -> Identity:
     identity.provides.add(any_user)
 
     return identity
+
+
+def tugraz_account_setup(user, account_info):
+    """Add tugraz_authenticated role to user after SAML-login was acknowledged.
+
+    Use as `account_setup`-argument to `invenio_saml.handlers.acs_handler_factory`.
+    For this to work, the role tugraz_authenticated must have been created
+    (e.g. via `invenio roles create tugraz_authenticated`).
+    """
+    # links external `account_info` with our database's `user` for future logins
+    default_account_setup(user, account_info)
+
+    user_email = account_info["user"]["email"]
+
+    # NOTE: `datastore.commit`ing will be done by acs_handler that calls this func
+    # NOTE: this is a No-Op when user_email already has role tugraz_authenticated
+    current_accounts.datastore.add_role_to_user(user_email, "tugraz_authenticated")