feat: assign users to teams via OIDC claims #1393
|
@ -217,10 +217,12 @@ func HandleCallback(c echo.Context) error {
|
|||
if err != nil {
|
||||
log.Errorf("Could not proceed with group routine %v", err)
|
||||
viehlieb marked this conversation as resolved
Outdated
|
||||
}
|
||||
err = RemoveUserFromTeamsByIds(s, u, utils.NotIn(oldOidcTeams, oidcTeams))
|
||||
teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
|
||||
err = RemoveUserFromTeamsByIds(s, u, teamIDsToLeave)
|
||||
if err != nil {
|
||||
log.Errorf("Found error while leaving teams %v", err)
|
||||
}
|
||||
konrad marked this conversation as resolved
Outdated
konrad
commented
Doing this every time a user logs in probably has performance implications but that's a problem to care about when we'll hit it in the wild. Doing this every time a user logs in probably has performance implications but that's a problem to care about when we'll hit it in the wild.
viehlieb
commented
only if it has teamIDsToLeave, but yeah I agree. The problem is more the oidc structure itself, that you "have" to check for changes "everytime" you sign in.. only if it has teamIDsToLeave, but yeah I agree.
The problem is more the oidc structure itself, that you "have" to check for changes "everytime" you sign in..
|
||||
err = RemoveEmptySSOTeams(s, u, teamIDsToLeave)
|
||||
}
|
||||
err = s.Commit()
|
||||
if err != nil {
|
||||
|
@ -257,6 +259,17 @@ func AssignOrCreateUserToTeams(s *xorm.Session, u *user.User, teamData []models.
|
|||
return oidcTeams, err
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Please return the error instead of logging only. Please return the error instead of logging only.
konrad
commented
Please don't ignore the errors. Please don't ignore the errors.
viehlieb
commented
not ignored now not ignored now
|
||||
}
|
||||
|
||||
func RemoveEmptySSOTeams(s *xorm.Session, u *user.User, teamIDs []int64) (err error) {
|
||||
for _, teamID := range teamIDs {
|
||||
count, err := s.Where("team_id = ?", teamID).Count(&models.TeamMember{})
|
||||
if count == 0 && err == nil {
|
||||
log.Debugf("SSO team with id %v has no members. It will be deleted", teamID)
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
This whole inner loop should be rewritten to something like this so that it's more idomatic go:
This whole inner loop should be rewritten to something like this so that it's more idomatic go:
```go
tm := models.TeamMember{TeamID: teamID, Username: u.Username}
err := tm.Delete(s, u)
if err != nil {
return err
}
team, err := models.GetTeamByID(s, teamID)
if err != nil {
return err
}
err = team.Delete(s, u)
if err != nil {
return err
}
konrad
commented
Also right now you'll only delete the team if deleting the member did not work, which does not really make sense. Also right now you'll only delete the team if deleting the member did not work, which does not really make sense.
viehlieb
commented
changed behaviour to not delete team changed behaviour to not delete team
|
||||
_, err = s.Where("id = ?", teamID).Delete(&models.Team{})
|
||||
}
|
||||
}
|
||||
return err
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Not sure if this is a good solution. Imagine one membership fails to get removed while the others get through. Then there's inconsistent state and the whole thing is not atomic anymore. I think we should instead return on the first error and let the caller deal with it. Not sure if this is a good solution. Imagine one membership fails to get removed while the others get through. Then there's inconsistent state and the whole thing is not atomic anymore. I think we should instead return on the first error and let the caller deal with it.
viehlieb
commented
okay, but won't it reach inconsistent state anyways? or do you suggest to catch ErrCannotDeleteLastTeamMember and ask to sign out manually from that specific group(s) and sign out from other groups anyway? I think it is intended behavior to sign out from teams when possible, and to leave teams as they are, where error is found. Maybe giving a hint to leave manually because you are last user. Did I understand you correctly? okay, but won't it reach inconsistent state anyways?
Imagine the user is in 3 groups.
tm is deleted for group 1
tm is not deleted for group 2, because user is last member
tm won't be deleted for group 3, where user is not last member and should be removed.
or do you suggest to catch ErrCannotDeleteLastTeamMember and ask to sign out manually from that specific group(s) and sign out from other groups anyway?
I think it is intended behavior to sign out from teams when possible, and to leave teams as they are, where error is found. Maybe giving a hint to leave manually because you are last user.
Did I understand you correctly?
konrad
commented
What's your difference between "signing out from a team" and "leaving a team"? Aren't the two the same?
Not if the whole db transaction is rolled back. > I think it is intended behavior to sign out from teams when possible, and to leave teams, where error is found.
What's your difference between "signing out from a team" and "leaving a team"? Aren't the two the same?
> okay, but won't it reach inconsistent state anyways?
Not if the whole db transaction is rolled back.
viehlieb
commented
edited edited
viehlieb
commented
the edit is:
I think it is intended behavior to sign out from teams when possible, and to leave teams as they are, where error is found. Maybe giving a hint to leave manually because you are last user.
If the whole transaction is rolled back, then it might very challening to organize teams, because if a member sits on a team as last member, then the member cannot leave this team. the edit is:
> > I think it is intended behavior to sign out from teams when possible, and to leave teams, where error is found.
>
> What's your difference between "signing out from a team" and "leaving a team"? Aren't the two the same?
>
I think it is intended behavior to sign out from teams when possible, and to leave teams **as they are**, where error is found. Maybe giving a hint to leave manually because you are last user.
> > okay, but won't it reach inconsistent state anyways?
> Not if the whole db transaction is rolled back.
If the whole transaction is rolled back, then it might very challening to organize teams, because if a member sits on a team as last member, then the member **cannot leave this** team.
The suggestion would be to leave teams, if it is possible -> the team membership, where the user cannot be signed out because of
```ErrCannotDeleteLastTeamMember{tm.TeamID, tm.UserID}```
should be resolved manually then
konrad
commented
Ah so "leave a team" in this context is "not deleting / modifying it"? Not "A user leaves a team"? I guess I'm just understanding it differently :)
Why would it do that? That's not what should happen, but how would being the last member of one team prevent that user to leave another team?
But resolving this manually would mean the user needs to manually remove the team, which they cannot do because the team was created from openid? > to leave teams as they are, where error is found
Ah so "leave a team" in this context is "not deleting / modifying it"? Not "A user leaves a team"?
I guess I'm just understanding it differently :)
> if a member sits on a team as last member, then the member cannot leave other teams.
Why would it do that? That's not what should happen, but how would being the last member of one team prevent that user to leave another team?
> where the user cannot be signed out because of
ErrCannotDeleteLastTeamMember{tm.TeamID, tm.UserID}
should be resolved manually then
But resolving this manually would mean the user needs to manually remove the team, which they cannot do because the team was created from openid?
viehlieb
commented
I think it is the responsibility of oidc admins to not let a team go blank without coordinating the potential destructive danger of it. > if a member sits on a team as last member, then the member cannot leave other teams.
...is edited. I meant: the member cannot leave this team, if it is the last membership.
> where the user cannot be signed out because of
ErrCannotDeleteLastTeamMember{tm.TeamID, tm.UserID}
should be resolved manually then
> But resolving this manually would mean the user needs to manually remove the team, which they cannot do because the team was created from openid?
I think it is the responsibility of _oidc admins_ to not let a team go blank without coordinating the potential destructive danger of it.
Therefore i would just delete the team + team_memberships.
konrad
commented
Okay, that makes more sense. > I think it is the responsibility of oidc admins to not let a team go blank without coordinating the potential destructive danger of it. Therefore i would just delete the team + team_memberships.
Okay, that makes more sense.
|
||||
}
|
||||
|
||||
func RemoveUserFromTeamsByIds(s *xorm.Session, u *user.User, teamIDs []int64) (err error) {
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Why not cast this to Why not cast this to `[]map[string]interface{}` directly?
viehlieb
commented
no reason, no reason,
had claim VikunjaGroups more agnostic to specific data type.
now casts directly to []map[string]interface{}
|
||||
|
||||
if len(teamIDs) < 1 {
|
||||
|
@ -269,7 +282,6 @@ func RemoveUserFromTeamsByIds(s *xorm.Session, u *user.User, teamIDs []int64) (e
|
|||
}
|
||||
|
||||
log.Debugf("Removing team_member with user_id %v from team_ids %v", u.ID, strings.Join(strSlice, ","))
|
||||
|
||||
_, err = s.Where("team_id IN (?) AND user_id = ?", strings.Join(strSlice, ","), u.ID).Delete(&models.TeamMember{})
|
||||
return err
|
||||
}
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
|
||||
package utils
|
||||
|
||||
// find the elements which appear in slice1,but not in slice2
|
||||
// find the elements which appear in slice1, but not in slice2
|
||||
func NotIn(slice1 []int64, slice2 []int64) []int64 {
|
||||
var diff []int64
|
||||
|
||||
|
|
Please don't call this "Sign out". That's a different thing.