Error if user has no role

[geekgonecrazy]

Description:

If some how the user has no role a user cannot login and things break all around for that user.

We should handle this more gracefully

Server Setup Information:

• Version of Rocket.Chat Server: 0.59.3

Steps to Reproduce:

1. Create user with out roles field.

[isometry]

We appear to be facing this issue with users recently created via SAML login.
A user authenticates for the first time and an account is created with a blank username (until very recently users were being correctly created with the username supplied SAML) and no role assignments. Seemingly as a result of this bug, it is then impossible to either set a username (because the user has no roles) or add the user to a role (because the user has no username).

[geekgonecrazy]

@isometry happen to have any details about your setup? Specifically doing anything different with db?

[isometry]

@geekgonecrazy : we're running on a hosted *.rocket.chat instance, so unfortunately have no direct access to the underlying database.

SAML is configured to use OneLogin, which provides NameID:=email, cn and username attributes in its assertion. Previously, this correctly matched existing users based on email, and used cn and username attributes only to provision accounts for new users. For the past couple of weeks, it seems that the username attribute has been ignored during provisioning, and instead Rocket creates an account with a blank username. Some of these blank username users (likely the first affected) have a role set (allowing me to set a username manually), but the most recent ones do not, which appears to leave us in the chicket-and-egg dilemma described above. Authentication for existing users continues as expected.

[isometry]

Parsing our full user list, it appears that with the SAML "Generate Username" setting flipped to "True", new users were created with a non-blank username (seemingly the user part of user@domain.tld, rather than the username attribute passed by SAML) but with no role.

[geekgonecrazy]

@isometry please shoot an email to cloud@rocket.chat with your instance name. I can help look into the details there.

[paulovitin]

@geekgonecrazy this problem is with empty roles or no roles key in database? With empty roles I got login, with no roles key I could not login and in the log has an exception.

If the second one is the problem, I could send a PR.

[rodrigok]

@paulovitin It seams to be related with no roles at all (missing the field).

[geekgonecrazy]

I should probably spin off another issue. But just remembered also an admin is unable to give a user a role when key doesn't exist or delete the user when roles key doesn't exist.

[ClundXIII]

I should probably spin off another issue. But just remembered also an admin is unable to give a user a role when key doesn't exist or delete the user when roles key doesn't exist.

I have run into exactly this problem due to the issues described in #18737

I am neither able to add a role nor delete the user. Using the API also fails.

[fabiiretro]

Using the REST API inside the docker container, I was able to call users.update to manually give them the user role. A call from outside (chat.xy) resulted in a bad request.