diff --git a/gracedb/permission_utils.py b/gracedb/permission_utils.py
index ccd2f9462bc1761b4569265aa3e974664b372d70..c71157537c955226a8eaf209c3e46faed5db9c31 100644
--- a/gracedb/permission_utils.py
+++ b/gracedb/permission_utils.py
@@ -96,16 +96,16 @@ def lvem_user_required(view):
# in a view.
#-------------------------------------------------------------------------------
def is_external(user):
-# if user:
-# user_groups = [g.name for g in user.groups.all()]
-# if settings.LVC_GROUP not in user_groups:
-# return True
-# return False
-# else:
-# return True
- if user.username == 'branson.stephens@LIGO.ORG':
+ if user:
+ user_groups = [g.name for g in user.groups.all()]
+ if settings.LVC_GROUP not in user_groups:
+ return True
return False
- return True
+ else:
+ return True
+# if user.username == 'branson.stephens@LIGO.ORG':
+# return False
+# return True
#-------------------------------------------------------------------------------
# A utility for determining whether an external user should have access to a
diff --git a/ligoauth/middleware/auth.py b/ligoauth/middleware/auth.py
index 52702f43cb81ab411c72cd5142d2d2e737ecfc65..cc22d966d59a9b27fce1086a00ebbfb27a874743 100644
--- a/ligoauth/middleware/auth.py
+++ b/ligoauth/middleware/auth.py
@@ -107,16 +107,37 @@ class LigoAuthMiddleware:
message += "THIS SHOULD NEVER HAPPEN"
pass
- # Add shib user to groups. This operation is idempotent, but may
- # incur a performance hit.
+ # Update user groups
isMemberOf = request.META.get('isMemberOf',None)
+ user_group_names = []
if isMemberOf:
- for group_name in isMemberOf.split(';'):
+ user_group_names = isMemberOf.split(';')
+ user_group_names = set(user_group_names)
+
+ # The above user list is a raw list that contains many groups that are not of
+ # interest to GraceDB. We will intersect it with the known groups.
+ known_group_names = set([g.name for g in Group.objects.all()])
+ user_group_names = user_group_names & known_group_names
+
+ # Now get the stored user groups
+ stored_user_group_names = set([g.name for g in user.groups.all()])
+
+ # Take necessary action if the group sets differ
+ if user_group_names != stored_user_group_names:
+ # If the user has acquired a new group membership, add it.
+ for group_name in user_group_names - stored_user_group_names:
try:
g = Group.objects.get(name=group_name)
g.user_set.add(user)
except:
pass
+ # If the user has lost a group membership, remove it.
+ for group_name in stored_user_group_names - user_group_names:
+ try:
+ g = Group.objects.get(name=group_name)
+ g.user_set.remove(user)
+ except:
+ pass
if not user and dn:
user = authenticate(dn=dn)
diff --git a/static/css/style.css b/static/css/style.css
index 319108ec7afc0972b35d1ce28ae3137b8e559ce9..f83ed3144207c1d4f023ceb1920bf40e795ae0da 100644
--- a/static/css/style.css
+++ b/static/css/style.css
@@ -38,6 +38,13 @@ table.gstlalcbc th {padding:3px;border:none;vertical-align:bottom;}
padding: 4px;
}
+#lvem_view_message {
+ margin-left: 15px;
+ max-width: 600px;
+ background-color: #ffe6e6;
+ padding: 10px;
+}
+
.signoff-area th {
background-color: rgb(200, 200, 200);
}
diff --git a/templates/base.html b/templates/base.html
index 150d40ad81aa74ebd27b0ef2e8832ce4d31a219c..b53ec8a3d17d481e49c1b282d163f4a203fcfeef 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -62,6 +62,16 @@ function changeTime(obj, label) {
</h1>
{% endif %}
</center>
+
+{% if 'lvem_view' in request.path %}
+<div id="lvem_view_message">
+<b>IMPORTANT:</b> You are viewing this page as a member of the LV-EM Observers group.
+At the end of your session, please remove the 'lvem_view/' string from the URL to
+return to the regular GraceDB site. This will ensure that your group memberships
+are correct the next time you log in.
+</div>
+{% endif %}
+
{% endblock %}
<p> </p> <!-- bad way to create vertical space -->