Docker/planka
Docker/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-07-18 12:49:43 +02:00
Code Issues Releases Activity

fix: Disable role change when OIDC roles are not ignored

Browse source
This commit is contained in:
Maksim Eltyshev 2023-10-25 23:39:34 +02:00
parent e41a434fc8
commit d951ba59dd
9 changed files with 23 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/api/controllers/users/update.js
View file

@ -73,6 +73,10 @@ module.exports = {
delete inputs.name;
/* eslint-enable no-param-reassign */
} else if (user.isSso) {
if (!sails.config.custom.oidcIgnoreRoles) {
delete inputs.isAdmin; // eslint-disable-line no-param-reassign
}
delete inputs.name; // eslint-disable-line no-param-reassign
}

8
server/api/helpers/users/get-or-create-one-using-oidc.js
View file

@ -90,11 +90,9 @@ module.exports = {
});
}
const updateFieldKeys = ['email', 'isAdmin', 'isSso', 'name', 'username'];
if (sails.config.custom.oidcIgnoreRoles) {
// Remove isAdmin from updateFieldKeys
updateFieldKeys.splice(updateFieldKeys.indexOf('isAdmin'), 1);
const updateFieldKeys = ['email', 'isSso', 'name', 'username'];
if (!sails.config.custom.oidcIgnoreRoles) {
updateFieldKeys.push('isAdmin');
}
const updateValues = {};

7
server/api/models/User.js
View file

@ -110,12 +110,13 @@ module.exports = {
tableName: 'user_account',
customToJSON() {
const isLockedAdmin = this.email === sails.config.custom.defaultAdminEmail;
const isDefaultAdmin = this.email === sails.config.custom.defaultAdminEmail;
return {
..._.omit(this, ['password', 'isSso', 'avatar', 'passwordChangedAt']),
isLockedAdmin,
isLocked: this.isSso || isLockedAdmin,
isLocked: this.isSso || isDefaultAdmin,
isRoleLocked: (this.isSso && !sails.config.custom.oidcIgnoreRoles) || isDefaultAdmin,
isDeletionLocked: isDefaultAdmin,
avatarUrl:
this.avatar &&
`${sails.config.custom.userAvatarsUrl}/${this.avatar.dirname}/square-100.${this.avatar.extension}`,

2
server/config/custom.js
View file

@ -39,7 +39,7 @@ module.exports.custom = {
oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
oidcIgnoreRoles : process.env.OIDC_IGNORE_ROLES || false,
oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
// TODO: move client base url to environment variable?
oidcRedirectUri: `${

4
server/db/seeds/default.js
View file

@ -34,10 +34,6 @@ exports.seed = async (knex) => {
createdAt: new Date().toISOString(),
});
} catch (error) {
if (Object.keys(data).length === 0) {
return;
}
await knex('user_account').update(data).where('email', process.env.DEFAULT_ADMIN_EMAIL);
}
};