Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Merge Roles from SSO' wipes all user roles from the existing user #17466

Closed
Gummikavalier opened this issue Apr 28, 2020 · 6 comments
Closed

'Merge Roles from SSO' wipes all user roles from the existing user #17466

Gummikavalier opened this issue Apr 28, 2020 · 6 comments
Labels
feat: oauth / sso feat: roles / permissions stat: stale Stale issues will be automatically closed if no activity type: bug

Comments

@Gummikavalier
Copy link

Description:

Since RC 3.1.x when Merge Roles from SSO is enabled, the Custom Oauth authentication wipes existing user roles from the user, if not defined in Oauth source or the Roles/Groups field of the configuration.

The issue is meaningful because if the Oauth roles don't match with the existing roles, manually managed roles get wiped out. Instead of 'Merge', it now acts more like 'Replace'.

Steps to reproduce:

  1. Create a working custom Oauth configuration.
  2. Leave the Roles/Groups field name field empty.
  3. See that enable Merge Roles from SSO is disabled.
  4. Log in with a regular user with Oauth, and check via admin console that the user gets at least the 'Users' role. As Admin, add user one custom role in addition to existing role. Log out with the user account.
  5. Again in the admin console, enable Merge Roles from SSO in your custom Oauth config.
    Screenshot from 2020-04-28 20-03-03
  6. Log in again with the user account.
  7. Check the user's roles again from the admin console.

Expected behavior:

All existing roles should stay intact in all use cases. New ones can be added if those are offered by the Oauth source and config allows this, but in this example neither provides them.

Actual behavior:

The user loses his existing 'User' role and any other additional roles. Losing the user role causes lots of issues for the user, for instance listing channels and users under the directory fails, and most of the channels get missing in the channel listing pane.

Server Setup Information:

  • Version of Rocket.Chat Server: 3.1.2
  • Operating System: CentOS7
  • Deployment Method: tar
  • Number of Running Instances: 20
  • DB Replicaset Oplog: yes
  • NodeJS Version: v12.16.1
  • MongoDB Version: 3.6.18

Additional context

This behaviour did not exist yet in RC 3.0.12.
The issue may be related to what was tried to achieve in #14454.
@jdurand67
Copy link

Any solution ?

@ralfbecker
Copy link
Contributor

Sounds like the same / similar issue reported by me a while ago: #14559

Ralf

@namxam
Copy link

namxam commented Aug 4, 2020

Yeah, I just lost my admin access due to this 😢

@github-actions
Copy link
Contributor

github-actions bot commented Oct 5, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stat: stale Stale issues will be automatically closed if no activity label Oct 5, 2020
@Gummikavalier
Copy link
Author

This issue is still valid in RC 3.6.3. Merge Roles from SSO acts as replace instead of merge.

@bbrauns bbrauns mentioned this issue Oct 20, 2020
Closed
@OlafDammann
Copy link

How come, that SUCH a critical issue is closed? This makes R.C unusable!

@matheusbsilva137 matheusbsilva137 mentioned this issue Oct 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat: oauth / sso feat: roles / permissions stat: stale Stale issues will be automatically closed if no activity type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@namxam @ralfbecker @Gummikavalier @OlafDammann @gabriellsh @jdurand67