A user promoted via the group claim had its type changed but kept the
permissions of its previous type (e.g. a new user mapped to admin could
not upload). Update permissions from the new type's defaults when the
type changes, and cover it in the setUserGroup tests.
Currently OIDC group-based role assignment only recognizes groups named
'admin', 'user', or 'guest' (case-insensitive), and denies login when a
user's groups match none of them. This makes group-based roles unusable
with identity providers whose group names differ, and offers no way to
admit such users with a default role.
Add two optional server settings:
- authOpenIDAdminGroups: comma-separated group names mapped to the admin
role, in addition to the built-in names.
- authOpenIDGroupDefaultRole: role assigned when no group matches,
instead of denying login.
Both default to empty, preserving current behavior. Includes the auth
settings UI fields, en-us strings, and unit tests for setUserGroup.