Commit graph

7 commits

Author SHA1 Message Date
Boris Rybalkin
e8b845e43c Sync user permissions to the new type on OIDC group mapping
A user promoted via the group claim had its type changed but kept the
permissions of its previous type (e.g. a new user mapped to admin could
not upload). Update permissions from the new type's defaults when the
type changes, and cover it in the setUserGroup tests.
2026-06-06 23:57:56 +01:00
Boris Rybalkin
d6cfdd3bec Add configurable OIDC group-to-role mapping
Currently OIDC group-based role assignment only recognizes groups named
'admin', 'user', or 'guest' (case-insensitive), and denies login when a
user's groups match none of them. This makes group-based roles unusable
with identity providers whose group names differ, and offers no way to
admit such users with a default role.

Add two optional server settings:
- authOpenIDAdminGroups: comma-separated group names mapped to the admin
  role, in addition to the built-in names.
- authOpenIDGroupDefaultRole: role assigned when no group matches,
  instead of denying login.

Both default to empty, preserving current behavior. Includes the auth
settings UI fields, en-us strings, and unit tests for setUserGroup.
2026-06-06 19:02:17 +01:00
Vito0912
50e2fe7fd2
Fix http/https error 2025-08-30 17:47:21 +02:00
advplyr
4018be6330 Fix oidc auto-register not cleaning up new user on errors #4563 2025-08-10 17:26:15 -05:00
advplyr
99a3867ce9 Update callback url check
Co-authored-by: Denis Arnst <git@sapd.eu>
2025-08-10 17:08:25 -05:00
advplyr
f7b94a4b6d Fix OIDC auto register user #4485 2025-07-13 17:04:02 -05:00
advplyr
9c8900560c Seperate out auth strategies, update change password to return error status codes 2025-07-07 15:04:40 -05:00