The SSOUser class of the SSO Module does not override the hasRole() and inGroup() methods.

According to the interface description, as well as the default implementation (MgnlUser), both of the above mentioned methods should return whether a User has a transitive assignment of the given Group or Role.

SSOUser only takes directly assigned Groups and Roles into consideration.

Steps to reproduce

1. Create a group in Magnolia and assign a role to it
2. Create a SSO group mapping, so that a user gets the Group created in #1 assigned
3. Login with the user and test role membership using User#hasRole

Expected results

should return true, as the user has the transitive role assigned.

should behave in the same way as a Magnolia installation with local user authentication.

Actual results

returns false

Workaround

Assign direct roles and groups only, which

• defeats the purpose of Role based Security
• unrealistic in an SSO environment (or any environment at all)

Development notes

A merge request has been created to fix this issue:

https://git.magnolia-cms.com/projects/ENTERPRISE/repos/magnolia-sso/pull-requests/188/overview