From: tschmidt <tschmidt@sacfoodcoop.com>
Date: Tue, 21 Feb 2012 01:17:51 +0000 (-0800)
Subject: added GOOGLE_WHITE_LISTED_DOMAINS setting to Google OAuth, updated documentation
X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=8858859f4355ac76c2c41b04686dbfd52f901c4e;p=django-social-auth.git

added GOOGLE_WHITE_LISTED_DOMAINS setting to Google OAuth, updated documentation
---

diff --git a/doc/backends/google.rst b/doc/backends/google.rst
index c73cc7e..2867c37 100644
--- a/doc/backends/google.rst
+++ b/doc/backends/google.rst
@@ -33,6 +33,10 @@ anonymous values will be used if not configured as described in their
 
       GOOGLE_OAUTH_EXTRA_SCOPE = [...]
 
+- Supply a list of domain strings to be checked. The default (empty list) allows all domains.  If a list is provided and a user attempts to sign in with a Google account that is not in the list, then a ValueError will be raised and the user will be redirected to your login error page::
+
+    GOOGLE_WHITE_LISTED_DOMAINS = ['mydomain.com']
+
 Check which applications can be included in their `Google Data Protocol Directory`_
 
 
@@ -70,7 +74,7 @@ Google OpenID
 
 Configurable settings:
 
-- Supply a list of domain strings to be checked. The default (empty list) allows all domains.  If a list is provided and a user attempts to sign in with a Google account that is not in the list, then a ValueError will be raised and the user will be redirected to your login error page::
+- Supply a list of domain strings to be checked::
 
     GOOGLE_WHITE_LISTED_DOMAINS = ['mydomain.com']
 
diff --git a/social_auth/backends/google.py b/social_auth/backends/google.py
index 88896ab..c96d4fa 100644
--- a/social_auth/backends/google.py
+++ b/social_auth/backends/google.py
@@ -49,6 +49,7 @@ class GoogleOAuthBackend(OAuthBackend):
 
     def get_user_id(self, details, response):
         "Use google email as unique id"""
+        validate_allowed_domain(details['email'])
         return details['email']
 
     def get_user_details(self, response):
@@ -80,10 +81,7 @@ class GoogleBackend(OpenIDBackend):
         is unique enought to flag a single user. Email comes from schema:
         http://axschema.org/contact/email
         """
-        # White listed domains (accepts all if list is empty)
-        domains = setting('GOOGLE_WHITE_LISTED_DOMAINS', [])
-        if domains and details['email'].split('@', 1)[1] not in domains:
-            raise ValueError('Domain not allowed')
+        validate_allowed_domain(details['email'])
 
         return details['email']
 
@@ -201,6 +199,16 @@ def googleapis_email(url, params):
         return None
 
 
+def validate_allowed_domain(email):
+    """Validates allowed domains against the GOOGLE_WHITE_LISTED_DOMAINS setting.
+    Allows all domains if setting is an empty list.
+    """
+    domains = setting('GOOGLE_WHITE_LISTED_DOMAINS', [])
+    if domains and email.split('@', 1)[1] not in domains:
+        raise ValueError('Domain not allowed')
+
+
+
 # Backend definition
 BACKENDS = {
     'google': GoogleAuth,