From da2eddfb5a041d5878eab18b6eae354a5d88203a Mon Sep 17 00:00:00 2001 From: Jens L Date: Thu, 21 Mar 2024 17:04:55 +0100 Subject: [PATCH] website/docs: add example policy to enforce unique email address (#8955) * website/docs: add example policy to enforce unique email address Signed-off-by: Jens Langhammer * reword Signed-off-by: Jens Langhammer --------- Signed-off-by: Jens Langhammer --- .../working_with_policies/unique_email.md | 19 +++++++++++++++++++ .../working_with_policies/whitelist_email.md | 16 +++++++--------- website/sidebars.js | 5 ++++- 3 files changed, 30 insertions(+), 10 deletions(-) create mode 100644 website/docs/policies/working_with_policies/unique_email.md diff --git a/website/docs/policies/working_with_policies/unique_email.md b/website/docs/policies/working_with_policies/unique_email.md new file mode 100644 index 0000000000..7227fc01da --- /dev/null +++ b/website/docs/policies/working_with_policies/unique_email.md @@ -0,0 +1,19 @@ +--- +title: Ensure unique email addresses +--- + +Due to the database design of authentik, email addresses are by default not required to be unique. This behavior can however be changed by policies. + +The snippet below can as the expression in policies both with enrollment flows, where the policy should be bound to any stage before the [User write](../../flow/stages/user_write.md) stage, or it can be used with the [Prompt stage](../../flow/stages/prompt/index.md). + +```python +from authentik.core.models import User + +# Ensure this matches the *Field Key* value of the prompt +field_name = "email" +email = request.context["prompt_data"][field_name] +if User.objects.filter(email=email).exists(): + ak_message("Email address in use") + return False +return True +``` diff --git a/website/docs/policies/working_with_policies/whitelist_email.md b/website/docs/policies/working_with_policies/whitelist_email.md index 3cb3f0e7a0..e184cd4e50 100644 --- a/website/docs/policies/working_with_policies/whitelist_email.md +++ b/website/docs/policies/working_with_policies/whitelist_email.md @@ -2,8 +2,7 @@ title: Whitelist email domains --- -To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, -follow these steps: +To add specific email addresses to an allow list for signing in through SSO or directly with default policy customization, follow these steps: 1. In the Admin interface, navigate to **Customization > Policies** and modify the default policy named `default-source-enrollment-if-sso`. @@ -11,13 +10,12 @@ follow these steps: ```python allowed_domains = ["example.net", "example.com"] -current_domain =request.context["prompt_data"]["email"].split("@")[1] -if current_domain in allowed_domains: - email = request.context["prompt_data"]["email"] - request.context["prompt_data"]["username"] = email - return ak_is_sso_flow -else: - return ak_message("Access denied for this email domain") + +current_domain = request.context["prompt_data"]["email"].split("@")[1] +if current_domain not in allowed_domains: + ak_message("Access denied for this email domain") + return False +return ak_is_sso_flow ``` This configuration specifies the `allowed_domains` list of domains for logging in through SSO, such as Google OAuth2. If your email is not in the available domains, you will receive a 'Permission Denied' message on the login screen. diff --git a/website/sidebars.js b/website/sidebars.js index b91545ad78..34cb43d87f 100644 --- a/website/sidebars.js +++ b/website/sidebars.js @@ -222,13 +222,16 @@ const docsSidebar = { { type: "category", label: "Working with policies", - items: ["policies/working_with_policies/whitelist_email"], link: { type: "generated-index", title: "Working with policies", slug: "policies/working_with_policies", description: "Overview of policies configuration", }, + items: [ + "policies/working_with_policies/whitelist_email", + "policies/working_with_policies/unique_email", + ], }, "policies/expression", ],