From 765351c5e947d28de7242589725b4056bba3ac2b Mon Sep 17 00:00:00 2001
From: Ian Bobbitt <ian@icb.im>
Date: Sun, 24 Jun 2018 23:54:29 +0000
Subject: [PATCH] Emit audit history when SAML assertions promote or demote a
 user.

---
 app/views.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/app/views.py b/app/views.py
index 73da8ce..5fc3da0 100644
--- a/app/views.py
+++ b/app/views.py
@@ -253,10 +253,18 @@ def saml_authorized():
         if admin_attribute_name:
           if 'true' in session['samlUserdata'].get(admin_attribute_name, []):
             logging.debug("User is an admin")
-            user.role_id = Role.query.filter_by(name='Administrator').first().id
+            admin_role = Role.query.filter_by(name='Administrator').first().id
+            if user.role_id != admin_role:
+                user.role_id = admin_role
+                history = History(msg='Promoting {0} to administrator'.format(user.username), created_by='SAML Assertion')
+                history.add()
           else:
             logging.debug("User is NOT an admin")
-            user.role_id = Role.query.filter_by(name='User').first().id
+            user_role = Role.query.filter_by(name='User').first().id
+            if user.role_id != user_role:
+                user.role_id = user_role
+                history = History(msg='Demoting {0} to user'.format(user.username), created_by='SAML Assertion')
+                history.add()
         user.plain_text_password = None
         user.update_profile()
         session['external_auth'] = True