mirror of
https://github.com/discourse/discourse.git
synced 2024-11-26 00:23:40 +08:00
e0a6d12c55
The previous implementation would attempt to fetch groups using the end-user's Google auth token. This only worked for admin accounts, or users with 'delegated' access to the `admin.directory.group.readonly` API. This commit changes the approach to use a single 'service account' for fetching the groups. This removes the need to add permissions to all regular user accounts. I'll be updating the [meta docs](https://meta.discourse.org/t/226850) with instructions on setting up the service account. This is technically a breaking change in behavior, but the existing implementation was marked experimental, and is currently unusable in production google workspace environments.
49 lines
1.7 KiB
Ruby
49 lines
1.7 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe AssociatedGroup do
|
|
let(:user) { Fabricate(:user) }
|
|
let(:associated_group) { Fabricate(:associated_group) }
|
|
let(:group) { Fabricate(:group) }
|
|
|
|
it "generates a label" do
|
|
ag = described_class.new(name: "group1", provider_name: "google")
|
|
expect(ag.label).to eq("google:group1")
|
|
end
|
|
|
|
it "detects whether any auth providers provide associated groups" do
|
|
SiteSetting.enable_google_oauth2_logins = true
|
|
SiteSetting.google_oauth2_hd = 'domain.com'
|
|
SiteSetting.google_oauth2_hd_groups = false
|
|
SiteSetting.google_oauth2_hd_groups_service_account_admin_email = "test@example.com"
|
|
SiteSetting.google_oauth2_hd_groups_service_account_json = "{}"
|
|
expect(described_class.has_provider?).to eq(false)
|
|
|
|
SiteSetting.google_oauth2_hd_groups = true
|
|
expect(described_class.has_provider?).to eq(true)
|
|
end
|
|
|
|
describe ".cleanup!" do
|
|
before do
|
|
associated_group.last_used = 8.days.ago
|
|
associated_group.save
|
|
end
|
|
|
|
it "deletes associated groups not used in over a week" do
|
|
described_class.cleanup!
|
|
expect(described_class.exists?(associated_group.id)).to eq(false)
|
|
end
|
|
|
|
it "doesnt delete associated groups associated with groups" do
|
|
GroupAssociatedGroup.create(group_id: group.id, associated_group_id: associated_group.id)
|
|
described_class.cleanup!
|
|
expect(described_class.exists?(associated_group.id)).to eq(true)
|
|
end
|
|
|
|
it "doesnt delete associated groups associated with users" do
|
|
UserAssociatedGroup.create(user_id: user.id, associated_group_id: associated_group.id)
|
|
described_class.cleanup!
|
|
expect(described_class.exists?(associated_group.id)).to eq(true)
|
|
end
|
|
end
|
|
end
|