Added functionality to set staff status for named teams (and revoke where no longer in those teams)

django_openid_auth/auth.py

@@ -87,6 +87,7 @@ class OpenIDBackend:
             openid_response)
         if teams_response:
             self.update_groups_from_teams(user, teams_response)
+            self.update_staff_status_from_teams(user, teams_response)
 
         return user
 
@@ -219,3 +220,15 @@ class OpenIDBackend:
             user.groups.remove(group)
         for group in desired_groups - current_groups:
             user.groups.add(group)
+
+    def update_staff_status_from_teams(self, user, teams_response):
+        staff_teams = getattr(settings, 'OPENID_LAUNCHPAD_STAFF_TEAMS', [])
+        user.is_staff = False
+
+        for lp_team in teams_response.is_member:
+            if lp_team in staff_teams:
+                user.is_staff = True
+                break
+
+        user.save()
+

django_openid_auth/tests/test_views.py

@@ -467,6 +467,65 @@ class RelyingPartyTests(TestCase):
         self.assertEqual(group2 in user.groups.all(), False)
         self.assertTrue(group3 not in user.groups.all())
 
+    def test_login_teams_staff_assignment(self):
+        settings.OPENID_LAUNCHPAD_STAFF_TEAMS = ('teamname',)
+        user = User.objects.create_user('testuser', 'someone@example.com')
+        user.is_staff = False
+        user.save()
+        useropenid = UserOpenID(
+            user=user,
+            claimed_id='http://example.com/identity',
+            display_id='http://example.com/identity')
+        useropenid.save()
+        self.assertFalse(user.is_staff)
+
+        # Posting in an identity URL begins the authentication request:
+        response = self.client.post('/openid/login/',
+            {'openid_identifier': 'http://example.com/identity'})
+
+        # Complete the request
+        openid_request = self.provider.parseFormPost(response.content)
+        openid_response = openid_request.answer(True)
+        teams_request = teams.TeamsRequest.fromOpenIDRequest(openid_request)
+        teams_response = teams.TeamsResponse.extractResponse(
+            teams_request, 'teamname,some-other-team')
+        openid_response.addExtension(teams_response)
+        response = self.complete(openid_response)
+
+        # The user's staff status has been updated.
+        user = User.objects.get(username='testuser')
+        self.assertTrue(user.is_staff)
+
+    def test_login_teams_staff_unassignment(self):
+        settings.OPENID_LAUNCHPAD_STAFF_TEAMS = ('different-teamname',)
+        user = User.objects.create_user('testuser', 'someone@example.com')
+        user.is_staff = True
+        user.save()
+        useropenid = UserOpenID(
+            user=user,
+            claimed_id='http://example.com/identity',
+            display_id='http://example.com/identity')
+        useropenid.save()
+        self.assertTrue(user.is_staff)
+
+        # Posting in an identity URL begins the authentication request:
+        response = self.client.post('/openid/login/',
+            {'openid_identifier': 'http://example.com/identity'})
+
+        # Complete the request
+        openid_request = self.provider.parseFormPost(response.content)
+        openid_response = openid_request.answer(True)
+        teams_request = teams.TeamsRequest.fromOpenIDRequest(openid_request)
+        teams_response = teams.TeamsResponse.extractResponse(
+            teams_request, 'teamname,some-other-team')
+        openid_response.addExtension(teams_response)
+        response = self.complete(openid_response)
+
+        # The user's staff status has been updated.
+        user = User.objects.get(username='testuser')
+        self.assertFalse(user.is_staff)
+
+
 class HelperFunctionsTest(TestCase):
     def test_sanitise_redirect_url(self):
         settings.ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS = [