Sync user permissions to the new type on OIDC group mapping

A user promoted via the group claim had its type changed but kept the
permissions of its previous type (e.g. a new user mapped to admin could
not upload). Update permissions from the new type's defaults when the
type changes, and cover it in the setUserGroup tests.
This commit is contained in:
Boris Rybalkin 2026-06-06 23:57:56 +01:00
parent d6cfdd3bec
commit e8b845e43c
2 changed files with 7 additions and 0 deletions

View file

@ -212,6 +212,7 @@ class OidcAuthStrategy {
if (user.type !== userType) {
Logger.info(`[OidcAuth] openid callback: Updating user "${user.username}" type to "${userType}" from "${user.type}"`)
user.type = userType
user.permissions = Database.userModel.getDefaultPermissionsForUserType(userType)
await user.save()
}
} else {

View file

@ -3,20 +3,25 @@ const sinon = require('sinon')
const Database = require('../../../server/Database')
const Logger = require('../../../server/Logger')
const User = require('../../../server/models/User')
const OidcAuthStrategy = require('../../../server/auth/OidcAuthStrategy')
describe('OidcAuthStrategy', () => {
let strategy
let originalServerSettings
let originalUserModel
beforeEach(() => {
strategy = new OidcAuthStrategy()
originalServerSettings = Database.serverSettings
originalUserModel = Database.userModel
Database.userModel = User
sinon.stub(Logger, 'info')
})
afterEach(() => {
Database.serverSettings = originalServerSettings
Database.userModel = originalUserModel
sinon.restore()
})
@ -30,6 +35,7 @@ describe('OidcAuthStrategy', () => {
await strategy.setUserGroup(user, { groups: ['syncloud'] })
expect(user.type).to.equal('admin')
expect(user.permissions.upload).to.be.true
expect(user.save.calledOnce).to.be.true
})