fix: User group deletion without reading User.groups with LDAP backend

canaille/backends/ldap/ldapobject.py

@@ -112,11 +112,11 @@ class LDAPObject(BackendModel, metaclass=LDAPObjectMetaclass):
             name in self.changes or name in self.state
         )
 
-    def get_ldap_attribute(self, name):
-        if name in self.changes:
+    def get_ldap_attribute(self, name, lookup_changes=True, lookup_state=True):
+        if name in self.changes and lookup_changes:
             return self.changes[name]
 
-        if not self.state.get(name):
+        if not self.state.get(name) or not lookup_state:
             return None
 
         # Lazy conversion from ldap format to python format

canaille/backends/ldap/models.py

@@ -51,11 +51,8 @@ class User(canaille.core.models.User, LDAPObject):
         # The LDAP attribute memberOf cannot directly be edited,
         # so this is needed to update the Group.member attribute
         # instead.
-        old_groups = self.state.get(group_attr) or []
-        new_groups = [
-            value if isinstance(value, Group) else Group.get(value)
-            for value in self.changes[group_attr]
-        ]
+        old_groups = self.get_ldap_attribute(group_attr, lookup_changes=False) or []
+        new_groups = self.get_ldap_attribute(group_attr, lookup_state=False) or []
         to_add = set(new_groups) - set(old_groups)
         to_del = set(old_groups) - set(new_groups)
         del self.changes[group_attr]

tests/core/test_groups.py

@@ -3,6 +3,15 @@ from canaille.core.populate import fake_groups
 from canaille.core.populate import fake_users
 
 
+def test_delete_group(testclient, backend, user, admin, foo_group):
+    foo_group.members = [user, admin]
+    backend.save(foo_group)
+
+    user = backend.get(models.User, user.id)
+    user.groups = []
+    backend.save(user)
+
+
 def test_no_group(app, backend):
     assert backend.query(models.Group) == []