Always request membership of the signed_fpca group

abompard · abompard · commit 37dd3de0ba58 · 2020-11-25T16:10:04.000+01:00
Signed-off-by: Aurélien Bompard &lt;aurelien@bompard.org&gt;
diff --git a/NEWS b/NEWS
@@ -5,6 +5,15 @@ NEWS
 :Authors: Toshio Kuratomi, Luke Macken, Ricky Elrod, Patrick Uiterwijk, Ralph Bean
 :Version: 1.1.0
 
+------
+1.1.1
+------
+
+Bugfixes:
+
+* Membership of the "signed_fpca" group was not always requested.
+
+
 ------
 1.1.0
 ------
diff --git a/flask_fas_openid.py b/flask_fas_openid.py
@@ -265,6 +265,11 @@ def login(self, username=None, password=None, return_url=None,
 
         if isinstance(groups, six.string_types):
             groups = [groups]
+        # In the new AAA system, we know a user has signed the FPCA by looking
+        # a group membership. We must therefore always request the
+        # corresponding group.
+        if "_FAS_ALL_GROUPS_" not in groups:
+            groups.append("signed_fpca")
 
         request.addExtension(sreg.SRegRequest(
             required=['nickname', 'fullname', 'email', 'timezone']))
