Fix: User can login to other site with Social Auth (#180)

common/djangoapps/third_party_auth/pipeline.py

@@ -72,6 +72,7 @@ def B(*args, **kwargs):
 from django.urls import reverse
 from django.http import HttpResponseBadRequest
 from django.shortcuts import redirect
+from django.utils.translation import ugettext as _
 import social_django
 from social_core.exceptions import AuthException
 from social_core.pipeline import partial
@@ -80,6 +81,7 @@ def B(*args, **kwargs):
 from edxmako.shortcuts import render_to_string
 from openedx.core.djangoapps.site_configuration import helpers as configuration_helpers
 from openedx.core.djangoapps.user_authn import cookies as user_authn_cookies
+from openedx.features.edly.validators import is_edly_user_allowed_to_login_with_social_auth
 from lms.djangoapps.verify_student.models import SSOVerification
 from lms.djangoapps.verify_student.utils import earliest_allowed_verification_date
 from third_party_auth.utils import user_exists
@@ -632,6 +634,9 @@ def set_logged_in_cookies(backend=None, user=None, strategy=None, auth_entry=Non
             # Check that the cookie isn't already set.
             # This ensures that we allow the user to continue to the next
             # pipeline step once he/she has the cookie set by this step.
+            if not is_edly_user_allowed_to_login_with_social_auth(request, user):
+                raise AuthException(user, _('You are not allowed to login on this site.'))
+
             has_cookie = user_authn_cookies.are_logged_in_cookies_set(request)
             if not has_cookie:
                 try:

openedx/features/edly/tests/test_validators.py

@@ -10,7 +10,10 @@
     EdlyUserProfileFactory,
     SiteFactory
 )
-from openedx.features.edly.validators import is_edly_user_allowed_to_login
+from openedx.features.edly.validators import (
+    is_edly_user_allowed_to_login,
+    is_edly_user_allowed_to_login_with_social_auth
+)
 
 
 class EdlyValidatorsTests(TestCase):
@@ -44,3 +47,24 @@ def test_user_without_edly_sub_organization_access_for_current_site(self):
         has_access = is_edly_user_allowed_to_login(self.request, self.user)
 
         assert not has_access
+
+    def test_user_allow_to_login_with_social_auth(self):
+        """
+        Test user can login to site with social auth.
+        """
+
+        edly_sub_organization = EdlySubOrganizationFactory(lms_site=self.request.site)
+        self.edly_user_profile.edly_sub_organizations.add(edly_sub_organization)
+        has_access = is_edly_user_allowed_to_login_with_social_auth(self.request, self.user)
+
+        assert has_access
+
+    def test_user_allow_to_login_with_social_auth(self):
+        """
+        Test user can not login to site with social auth.
+        """
+
+        edly_sub_organization = EdlySubOrganizationFactory(lms_site=self.request.site)
+        has_access = is_edly_user_allowed_to_login_with_social_auth(self.request, self.user)
+
+        assert not has_access

openedx/features/edly/validators.py

@@ -4,6 +4,10 @@
     EdlySubOrganization,
     EdlyUserProfile
 )
+from openedx.features.edly.utils import (
+    create_user_link_with_edly_sub_organization,
+    user_can_login_on_requested_edly_organization
+)
 
 logger = getLogger(__name__)
 
@@ -42,3 +46,25 @@ def is_edly_user_allowed_to_login(request, possibly_authenticated_user):
         return True
 
     return False
+
+
+def is_edly_user_allowed_to_login_with_social_auth(request, user):
+    """
+    Check if the user is allowed to login on the current site with social auth.
+
+    Arguments:
+        request (object): HTTP request object
+        user: User object trying to authenticate
+
+    Returns:
+        bool: Returns True if User can login to site otherwise False.
+    """
+
+    if not is_edly_user_allowed_to_login(request, user):
+        if user_can_login_on_requested_edly_organization(request, user):
+            create_user_link_with_edly_sub_organization(request, user)
+        else:
+            logger.warning('User %s is not allowed to login for site %s.' % (user.email, request.site))
+            return False
+
+    return True