Discern user type using the CAS 'xroles' attribute

Question

Discern user type using the CAS 'xroles' attribute

Closed this issue 6 years ago · 0 comments

Right now we guess if a user is student or faculty by looking at his email as a heuristic: https://github.com/aspc/mainsite/blob/master/aspc/auth2/backends.py#L48. This is generally accurate, but there are times when a student's CAS data contains his @pomona.edu email instead of his @mymail.pomona.edu one. (E.g. if a student has changed his name or something -- for some reason the rest of the CAS fields get changed when ITS updates his data.)

Now, however, CAS returns an xroles attribute that actually tells us what kind of account we are receiving -- we don't have to guess anymore. The CAS response that we currently get should be something like this:

 <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationSuccess>
    <!-- Begin Ldap Attributes -->
        <cas:attributes>
            <cas:lastName>Dahl</cas:lastName>
            <cas:EmailAddress>mdd32013@MyMail.pomona.edu</cas:EmailAddress>
            <cas:fullName>Matthew Daniel Dahl</cas:fullName>
            <cas:firstName>Matthew</cas:firstName>
            <cas:xroles>pomonastudent</cas:xroles>
        </cas:attributes>
    <!-- End Ldap Attributes -->
    </cas:authenticationSuccess>
 </cas:serviceResponse>

We should capture that attribute as we already do with the other ones here: https://github.com/aspc/mainsite/blob/master/aspc/auth2/backends.py#L100. We should then use it to properly assign the account type up on line 48 where we currently inspect the email suffix.