We should set a flag in LDAP when someone's membership has expired so that they no longer have access to our various web-based services (which use LDAP for authentication).
I propose setting ShadowExpire (an attribute of ShadowAccount) to 1. We can then use LDAP filters in our web services to filter out users who have this flag set.
Implementation
Create a POST endpoint called /api/members/expire (or similar) which sets the LDAP flag on users' records if their membership has expired for over a month. This endpoint should accept a dry_run URL parameter which, when set to true, returns the list of members who would be updated. When the flag is set to false (the default), a list of members who were updated should be returned.
There is a helper class in ceo_common called Term; this may be helpful.
When someone's membership is renewed, we should delete this attribute from their LDAP record if it exists. You will need to modify /api/members/<username/renew.
Create a new CLI command for this endpoint, e.g. ceo members expire [--dry-run]. In production, this will be called on a cron job, e.g. once a day.
Write unit tests for all of the changes above.
We should set a flag in LDAP when someone's membership has expired so that they no longer have access to our various web-based services (which use LDAP for authentication).
I propose setting ShadowExpire (an attribute of ShadowAccount) to 1. We can then use LDAP filters in our web services to filter out users who have this flag set.
## Implementation
- [ ] Create a POST endpoint called `/api/members/expire` (or similar) which sets the LDAP flag on users' records if their membership has expired for over a month. This endpoint should accept a `dry_run` URL parameter which, when set to true, returns the list of members who *would* be updated. When the flag is set to false (the default), a list of members who were updated should be returned.
There is a helper class in ceo_common called Term; this may be helpful.
- [ ] When someone's membership is renewed, we should delete this attribute from their LDAP record if it exists. You will need to modify `/api/members/<username/renew`.
- [ ] Create a new CLI command for this endpoint, e.g. `ceo members expire [--dry-run]`. In production, this will be called on a cron job, e.g. once a day.
- [ ] Write unit tests for all of the changes above.
We should set a flag in LDAP when someone's membership has expired so that they no longer have access to our various web-based services (which use LDAP for authentication).
I propose setting ShadowExpire (an attribute of ShadowAccount) to 1. We can then use LDAP filters in our web services to filter out users who have this flag set.
Implementation
/api/members/expire(or similar) which sets the LDAP flag on users' records if their membership has expired for over a month. This endpoint should accept adry_runURL parameter which, when set to true, returns the list of members who would be updated. When the flag is set to false (the default), a list of members who were updated should be returned.There is a helper class in ceo_common called Term; this may be helpful.
/api/members/<username/renew.ceo members expire [--dry-run]. In production, this will be called on a cron job, e.g. once a day.