LDAP auto-provision: user cree DESACTIVE par defaut + role viewer (admin doit l'activer)

2026-04-15 11:46:22 +02:00 · 2026-04-15 11:46:22 +02:00 · f013aaaab6
commit f013aaaab6
parent 53d4f71607
1 changed files with 6 additions and 6 deletions
--- a/app/routers/auth.py
+++ b/app/routers/auth.py
@ -47,17 +47,17 @@ async def login(request: Request, username: str = Form(...), password: str = For
                log_login_failed(db, request, username)
                db.commit()
                return err_template(result.get("msg") or "Authentification LDAP echouee")
-            # Cree l'user en local avec role par defaut
-            default_role = result.get("default_role", "operator")
+            # Cree l'user DESACTIVE + sans permissions. Admin doit l'activer + permissionner.
+            default_role = result.get("default_role", "viewer")
            db.execute(text("""
                INSERT INTO users (username, email, full_name, role, is_active, auth_type, password_hash)
-                VALUES (:u, :e, :n, :r, true, 'ldap', '')
+                VALUES (:u, :e, :n, :r, false, 'ldap', '')
            """), {"u": username, "e": result.get("email", ""),
                   "n": result.get("name", username), "r": default_role})
            db.commit()
-            row = db.execute(text("SELECT id, username, password_hash, role, is_active, auth_type FROM users WHERE LOWER(username)=LOWER(:u)"),
-                             {"u": username}).fetchone()
-            ok = True
+            log_login_failed(db, request, username)  # trace de l'auto-creation
+            db.commit()
+            return err_template("Compte cree mais en attente d'activation par un administrateur")
        elif not row:
            log_login_failed(db, request, username)
            db.commit()