Merge branch 'master' into git

endpoints/callbacks.py

@@ -157,7 +157,10 @@ def github_oauth_callback():
   if error:
     return render_ologin_error('GitHub', error)
 
+  # Exchange the OAuth code.
   token = exchange_code_for_token(request.args.get('code'), github_login)
+
+  # Retrieve the user's information.
   user_data = get_user(github_login, token)
   if not user_data or not 'login' in user_data:
     return render_ologin_error('GitHub')
@@ -172,16 +175,35 @@ def github_oauth_callback():
   token_param = {
     'access_token': token,
   }
+
+  # Retrieve the user's orgnizations (if organization filtering is turned on)
+  if github_login.allowed_organizations() is not None:
+    get_orgs = client.get(github_login.orgs_endpoint(), params=token_param,
+                           headers={'Accept': 'application/vnd.github.moondragon+json'})
+
+    organizations = set([org.get('login').lower() for org in get_orgs.json()])
+    if not (organizations & set(github_login.allowed_organizations())):
+      err = """You are not a member of an allowed GitHub organization.
+               Please contact your system administrator if you believe this is in error."""
+      return render_ologin_error('GitHub', err)
+
+  # Find the e-mail address for the user: we will accept any email, but we prefer the primary
   get_email = client.get(github_login.email_endpoint(), params=token_param,
                          headers=v3_media_type)
 
-  # We will accept any email, but we prefer the primary
   found_email = None
   for user_email in get_email.json():
+    if not github_login.is_enterprise() and not user_email['verified']:
+      continue
+
     found_email = user_email['email']
     if user_email['primary']:
       break
 
+  if found_email is None:
+    err = 'There is no verified e-mail address attached to the GitHub account.'
+    return render_ologin_error('GitHub', err)
+
   metadata = {
     'service_username': username
   }