From f2976518c306d05f94e055f0984905320d38b474 Mon Sep 17 00:00:00 2001
From: Tanner Prestegard <tanner.prestegard@ligo.org>
Date: Wed, 10 Jul 2019 09:38:49 -0500
Subject: [PATCH] ligoauth: bugfix group removal code in shibboleth auth
 middleware

---
 gracedb/ligoauth/middleware.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gracedb/ligoauth/middleware.py b/gracedb/ligoauth/middleware.py
index e10be4daa..a4b879fbf 100644
--- a/gracedb/ligoauth/middleware.py
+++ b/gracedb/ligoauth/middleware.py
@@ -96,7 +96,10 @@ class ShibbolethWebAuthMiddleware(PersistentRemoteUserMiddleware):
 
         # Remove groups in database which are not in session, except for groups
         # which are managed by admins, like EM advocates and executives
-        user.groups.remove(*user.groups.exclude(pk__in=session_groups))
+        groups_to_remove = user.groups.filter(
+            authgroup__ldap_name__isnull=False).exclude(
+            pk__in=session_groups)
+        user.groups.remove(*groups_to_remove)
 
         # NOTE: The two above operations could be done much more nicely if
         # the queryset operation difference() worked in MySQL
-- 
GitLab