From e8b845e43cf94e8b5533737dede965cdb97ba42d Mon Sep 17 00:00:00 2001 From: Boris Rybalkin Date: Sat, 6 Jun 2026 23:57:56 +0100 Subject: [PATCH] Sync user permissions to the new type on OIDC group mapping A user promoted via the group claim had its type changed but kept the permissions of its previous type (e.g. a new user mapped to admin could not upload). Update permissions from the new type's defaults when the type changes, and cover it in the setUserGroup tests. --- server/auth/OidcAuthStrategy.js | 1 + test/server/auth/OidcAuthStrategy.test.js | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/server/auth/OidcAuthStrategy.js b/server/auth/OidcAuthStrategy.js index 8014a436c..201b5bb81 100644 --- a/server/auth/OidcAuthStrategy.js +++ b/server/auth/OidcAuthStrategy.js @@ -212,6 +212,7 @@ class OidcAuthStrategy { if (user.type !== userType) { Logger.info(`[OidcAuth] openid callback: Updating user "${user.username}" type to "${userType}" from "${user.type}"`) user.type = userType + user.permissions = Database.userModel.getDefaultPermissionsForUserType(userType) await user.save() } } else { diff --git a/test/server/auth/OidcAuthStrategy.test.js b/test/server/auth/OidcAuthStrategy.test.js index e701ec426..91f33aabd 100644 --- a/test/server/auth/OidcAuthStrategy.test.js +++ b/test/server/auth/OidcAuthStrategy.test.js @@ -3,20 +3,25 @@ const sinon = require('sinon') const Database = require('../../../server/Database') const Logger = require('../../../server/Logger') +const User = require('../../../server/models/User') const OidcAuthStrategy = require('../../../server/auth/OidcAuthStrategy') describe('OidcAuthStrategy', () => { let strategy let originalServerSettings + let originalUserModel beforeEach(() => { strategy = new OidcAuthStrategy() originalServerSettings = Database.serverSettings + originalUserModel = Database.userModel + Database.userModel = User sinon.stub(Logger, 'info') }) afterEach(() => { Database.serverSettings = originalServerSettings + Database.userModel = originalUserModel sinon.restore() }) @@ -30,6 +35,7 @@ describe('OidcAuthStrategy', () => { await strategy.setUserGroup(user, { groups: ['syncloud'] }) expect(user.type).to.equal('admin') + expect(user.permissions.upload).to.be.true expect(user.save.calledOnce).to.be.true })