From df8ced5bf4acebeb89a67ce5191629bf03fe1b84 Mon Sep 17 00:00:00 2001
From: Elliot Gustafsson <elliot643@hotmail.com>
Date: Fri, 8 Aug 2025 16:37:09 +0200
Subject: [PATCH] ldap: Get federated login identifier and use that when
 checking user privileges in FederatedUserManager (PROJQUAY-8879)
 (PROJQUAY-5880) (#3978)

---
 data/users/__init__.py | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/data/users/__init__.py b/data/users/__init__.py
index a3858c1ae..2595fa256 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -422,11 +422,27 @@ class FederatedUserManager(ConfigUserManager):
         self.federated_users = authentication
         super().__init__(app)
 
+    def __get_federated_login_identifier(self, username) -> str:
+        db_user = model.user.get_user(username)
+        if not db_user:
+            return ""
+
+        federated_login = model.user.lookup_federated_login(
+            db_user, self.federated_users.federated_service
+        )
+        if not federated_login:
+            return ""
+        return federated_login.service_ident
+
     def is_superuser(self, username: str) -> bool:
         """
         Returns if the given username represents a super user.
         """
-        return self.federated_users.is_superuser(username) or super().is_superuser(username)
+        identifier = self.__get_federated_login_identifier(username)
+        if not identifier:
+            identifier = username
+
+        return self.federated_users.is_superuser(identifier) or super().is_superuser(username)
 
     def has_superusers(self) -> bool:
         """
@@ -444,7 +460,11 @@ class FederatedUserManager(ConfigUserManager):
         if super().restricted_whitelist_is_set() and not super().is_restricted_user(username):
             return False
 
-        return self.federated_users.is_restricted_user(username) or super().is_restricted_user(
+        identifier = self.__get_federated_login_identifier(username)
+        if not identifier:
+            identifier = username
+
+        return self.federated_users.is_restricted_user(identifier) or super().is_restricted_user(
             username
         )
 
@@ -452,6 +472,10 @@ class FederatedUserManager(ConfigUserManager):
         return self.federated_users.has_restricted_users() or super().has_restricted_users()
 
     def is_global_readonly_superuser(self, username: str) -> bool:
+        identifier = self.__get_federated_login_identifier(username)
+        if not identifier:
+            identifier = username
+
         return self.federated_users.is_global_readonly_superuser(
-            username
+            identifier
         ) or super().is_global_readonly_superuser(username)