Sync user permissions to the new type on OIDC group mapping

A user promoted via the group claim had its type changed but kept the
permissions of its previous type (e.g. a new user mapped to admin could
not upload). Update permissions from the new type's defaults when the
type changes, and cover it in the setUserGroup tests.
This commit is contained in:
Boris Rybalkin 2026-06-06 23:57:56 +01:00
parent d6cfdd3bec
commit e8b845e43c
2 changed files with 7 additions and 0 deletions

View file

@ -212,6 +212,7 @@ class OidcAuthStrategy {
if (user.type !== userType) { if (user.type !== userType) {
Logger.info(`[OidcAuth] openid callback: Updating user "${user.username}" type to "${userType}" from "${user.type}"`) Logger.info(`[OidcAuth] openid callback: Updating user "${user.username}" type to "${userType}" from "${user.type}"`)
user.type = userType user.type = userType
user.permissions = Database.userModel.getDefaultPermissionsForUserType(userType)
await user.save() await user.save()
} }
} else { } else {

View file

@ -3,20 +3,25 @@ const sinon = require('sinon')
const Database = require('../../../server/Database') const Database = require('../../../server/Database')
const Logger = require('../../../server/Logger') const Logger = require('../../../server/Logger')
const User = require('../../../server/models/User')
const OidcAuthStrategy = require('../../../server/auth/OidcAuthStrategy') const OidcAuthStrategy = require('../../../server/auth/OidcAuthStrategy')
describe('OidcAuthStrategy', () => { describe('OidcAuthStrategy', () => {
let strategy let strategy
let originalServerSettings let originalServerSettings
let originalUserModel
beforeEach(() => { beforeEach(() => {
strategy = new OidcAuthStrategy() strategy = new OidcAuthStrategy()
originalServerSettings = Database.serverSettings originalServerSettings = Database.serverSettings
originalUserModel = Database.userModel
Database.userModel = User
sinon.stub(Logger, 'info') sinon.stub(Logger, 'info')
}) })
afterEach(() => { afterEach(() => {
Database.serverSettings = originalServerSettings Database.serverSettings = originalServerSettings
Database.userModel = originalUserModel
sinon.restore() sinon.restore()
}) })
@ -30,6 +35,7 @@ describe('OidcAuthStrategy', () => {
await strategy.setUserGroup(user, { groups: ['syncloud'] }) await strategy.setUserGroup(user, { groups: ['syncloud'] })
expect(user.type).to.equal('admin') expect(user.type).to.equal('admin')
expect(user.permissions.upload).to.be.true
expect(user.save.calledOnce).to.be.true expect(user.save.calledOnce).to.be.true
}) })