Juniper Upgrade - Changed inheritance for OrganizationMemberBackend

This commit changes the base model to AllowAllUsersModelBackend from ModelBackend for which Organizations.backends.OrganizationMemberBackend inherits. The purpose of this is to address an architectural issue with how Open edX handles authentication and authorization on email vericification. See the source code in this commit for more details
appsembler · Mar 31, 2021 · 5e264ce · 5e264ce
1 parent de7d800
commit 5e264ce
Showing 1 changed file with 23 additions and 7 deletions.
diff --git a/organizations/backends.py b/organizations/backends.py
@@ -3,7 +3,7 @@
 """
 
 from django.conf import settings
-from django.contrib.auth.backends import ModelBackend
+from django.contrib.auth.backends import AllowAllUsersModelBackend, ModelBackend
 from openedx.core.djangoapps.theming.helpers import get_current_site  # pylint: disable=import-error
 from openedx.core.djangoapps.site_configuration.helpers import (  # pylint: disable=import-error
     is_site_configuration_enabled,
@@ -33,13 +33,29 @@ def authenticate(self, *args, **kwargs):  # pylint: disable=arguments-differ
         return None
 
 
-class OrganizationMemberBackend(ModelBackend):
-    """
-    Extension of the regular ModelBackend that will check what Organizations are tied to the
-    current microsite and compare that to the Organizations the user trying to log in belongs to.
-    If there is a match between the two, the user is allowed to log in.
-    """
+class OrganizationMemberBackend(AllowAllUsersModelBackend):
+    """Backend for organization based authentication
+
+    This class is an extension of Django's `AllowAllUserModelBackend`
+
+    This class checks that the user to authenticate belongs to one of the
+    organizations in the specified site
 
+    This class extends `AllowAllUserModelBackend` instead of `ModelBackend`
+    because users need to be able to authenticate when the `user.is_active` is
+    `False`. The reason for this is that Open edX has an email verification
+    scheme that uses `User.is_active` in order to prevent user activity until
+    the users have verified their email. Effectively, edx-platform LMS user
+    authentication state is used to manage authorization state.
+
+    The key problem is that Django's `django.contrib.auth.backends.ModelBackend`
+    is called with `not user.is_active` and Ironwood introduced a check to test
+    authentication on a not yet authorized user. This breaks Tahoe multisite
+    behavior. Extending `AllowAllUsersModelBackend` restores correct behavior.
+
+    For further reference, see settings files and read Django documentation for
+    `AUTHENTICATION_BACKENDS`
+    """
     def authenticate(self, *args, **kwargs):  # pylint: disable=arguments-differ
         """
         Authenticate organization learners.