两次与 SSO 的讨论：避免管理员/版主同步

RGJ · 2019 年4 月 15 日 19:02

We have two Discourses set up, where one uses SSO against the other one.
However, we do not want to synchronize admin and moderator privs, but they are synced every time a user logs in on the SSO client forum.

sso_overrides_groups has been disabled. It does not seem to work for admin and moderator privileges, when I look at the code those are implemented separately (https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L78-L102)

Is this by design, or is this a bug? Does anyone know a way around this?

codinghorror · 2019 年4 月 15 日 23:44

Any thoughts on this @sam?

sam · 2019 年4 月 16 日 00:07

We are going to need 2 extra site settings here:

github.com/discourse/discourse

app/controllers/session_controller.rb

74c4ef6b5


      
          sso.admin = current_user.admin?
          sso.moderator = current_user.moderator?
          sso.groups = current_user.groups.pluck(:name).join(",")

sso_provider_include_groups
sso_provider_include_staff_flags

I think the default is correct though.

RGJ · 2019 年9 月 4 日 17:55

@sam，现在提交此问题的 PR 还受欢迎吗？

sam · 2019 年9 月 14 日 23:04

是的，我支持在此处添加相关内容，它显然需要放在客户端。不过，我在命名上有些纠结。

sso_sync_staff、sso_sync_groups 怎么样？sso_sync_groups 的问题在于它与 sso_overrides_groups 存在命名冲突。

所以，也许我们可以改用 sso_incoming_scopes，默认值为 staff,groups...，然后你可以选择允许哪些传入范围。

话题		回复	浏览量
SSO groups without completely overriding Support	9	1678	2021 年1 月 8 日
Technical lift of migrating whitelisted discourse to SSO General	1	861	2022 年1 月 12 日
Users are not added to the moderators groups when registering with SSO Bug sso , discourseconnect	3	2258	2016 年5 月 17 日
Does `sso overrides groups` work with Oauth2? SSO	13	2574	2021 年11 月 19 日
Allow extra metadata from Single Sign On Feature	7	1332	2025 年12 月 4 日

两次与 SSO 的讨论：避免管理员/版主同步

相关话题