def _handle_new_membership(
self, auth_identity: AuthIdentity) -> Optional[OrganizationMember]:
user = auth_identity.user
# If the user is either currently *pending* invite acceptance (as indicated
# from the pending-invite cookie) OR an existing invite exists on this
# organziation for the email provided by the identity provider.
invite_helper = ApiInviteHelper.from_cookie_or_email(
request=self.request,
organization=self.organization,
email=user.email)
# If we are able to accept an existing invite for the user for this
# organization, do so, otherwise handle new membership
if invite_helper:
if invite_helper.invite_approved:
return invite_helper.accept_invite(user)
# It's possible the user has an _invite request_ that hasn't been approved yet,
# and is able to join the organization without an invite through the SSO flow.
# In that case, delete the invite request and create a new membership.
invite_helper.handle_invite_not_approved()
flags = OrganizationMember.flags["sso:linked"]
# if the org doesn't have the ability to add members then anyone who got added
# this way should be disabled until the org upgrades
if not features.has("organizations:invite-members", self.organization):
flags = flags | OrganizationMember.flags["member-limit:restricted"]
# Otherwise create a new membership
om = OrganizationMember.objects.create(
organization=self.organization,
role=self.organization.default_role,
user=user,
flags=flags,
)
default_teams = self.auth_provider.default_teams.all()
for team in default_teams:
OrganizationMemberTeam.objects.create(team=team,
organizationmember=om)
AuditLogEntry.objects.create(
organization=self.organization,
actor=user,
ip_address=self.request.META["REMOTE_ADDR"],
target_object=om.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_ADD,
data=om.get_audit_log_data(),
)
return om
def handle_new_membership(auth_provider, organization, request, auth_identity):
user = auth_identity.user
# If the user is either currently *pending* invite acceptance (as indicated
# from the pending-invite cookie) OR an existing invite exists on this
# organziation for the email provided by the identity provider.
invite_helper = ApiInviteHelper.from_cookie_or_email(
request=request, organization=organization, email=user.email
)
# If we are able to accept an existing invite for the user for this
# organization, do so, otherwise handle new membership
if invite_helper:
if invite_helper.invite_approved:
invite_helper.accept_invite(user)
return
# It's possible the user has an _invite request_ that hasn't been approved yet,
# and is able to join the organization without an invite through the SSO flow.
# In that case, delete the invite request and create a new membership.
invite_helper.handle_invite_not_approved()
# Otherwise create a new membership
om = OrganizationMember.objects.create(
organization=organization,
role=organization.default_role,
user=user,
flags=OrganizationMember.flags["sso:linked"],
)
default_teams = auth_provider.default_teams.all()
for team in default_teams:
OrganizationMemberTeam.objects.create(team=team, organizationmember=om)
AuditLogEntry.objects.create(
organization=organization,
actor=user,
ip_address=request.META["REMOTE_ADDR"],
target_object=om.id,
target_user=om.user,
event=AuditLogEntryEvent.MEMBER_ADD,
data=om.get_audit_log_data(),
)
return om