server-auth/auth_user_role_saml/models/res_users.py at ecbc69b02e51e564428bcc5598c6af921af1c05b · OCA/server-auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# Copyright 2026 360ERP (<https://www.360erp.com>)
# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).

import logging

from odoo import models

_logger = logging.getLogger(__name__)


class ResUser(models.Model):
    _inherit = "res.users"

    def _auth_saml_signin(self, provider, validation, saml_response):
        """
        Intercept the standard SAML sign-in, allow it to complete,
        and then pass the identity payload to the generic role engine.
        """
        login = super()._auth_saml_signin(provider, validation, saml_response)
        identity_payload = validation.get("saml_identity_payload")

        if identity_payload is not None:
            user = self.env["res.users"].sudo().search([("login", "=", login)], limit=1)

            if user:
                # Fetch the provider record to check its specific strict_sync setting
                provider_record = self.env["auth.saml.provider"].browse(provider)
                strict_sync = provider_record.sync_roles_strictly

                # Pass strict_sync to the evaluation engine
                user.sudo().evaluate_and_apply_auth_roles(
                    identity_payload, strict_sync=strict_sync
                )

        return login