I was looking into the code for external users and users in general. I saw a few test cases in which no auth source was assigned to a user and the user is created. Is this intended in any way?
I am not sure about the history about auth sources. I have tried to create a user and every time I do so an auth source is assigned to a user. To re-frame my question: is there a way for a user to login without an auth source assigned to it?
The history is simple - back in the days internal user was the only supported one. Then we added LDAP and we needed a flag to differentiate between two types I think. Correct me if I am wrong @Marek_Hulan
Blank auth source should be disallowed I think in model.
I agree, thanks for the insight. Can you also through some light on the setting Authorize login delegation
Looking at the test cases:
context 'authorize_login_delegation = true' do
setup do
@host = Host.first
Setting[:authorize_login_delegation] = true
Setting[:authorize_login_delegation_api] = false
set_remote_user_to users(:admin)
User.current = nil # User.current is admin at this point (from initialize_host)
end
test "REMOTE_USER should be ignored for API requests" do
get :show, params: {:id => @host.to_param, :format => 'json'}
assert_response 401
end
test "REMOTE_USER should be trusted for UI requests" do
get :show, params: {:id => @host.to_param}
assert_response :success
end
end
I am not sure why would one need to use this setting? Is there anything specific from the the external users point of view?