[MGNLSSO-38] Users do not get given the roles assigned to a group they belong to Created: 01/Sep/20 Updated: 08/Jul/21 Resolved: 08/Jul/21 |
|
| Status: | Closed |
| Project: | Single Sign On |
| Component/s: | None |
| Affects Version/s: | 1.0 |
| Fix Version/s: | 2.0 |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Maxime Michel | Assignee: | Maxime Michel |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Template: |
|
||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[X]*
Doc/release notes changes? Comment present?
[X]*
Downstream builds green?
[X]*
Solution information and context easily available?
[X]*
Tests
[X]*
FixVersion filled and not yet released
[X] 
Architecture Decision Record (ADR)
|
||||||||||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||||||||||
| Date of First Response: | |||||||||||||
| Description |
|
The module allows to map a Keycloak group to Magnolia roles and groups. If the configuration defines that a user in magnolia-sre should get the superuser role, then a user in magnolia-sre will get the role and associated security rights. If, however, the configuration defines that a user in magnolia-marketing should be assigned the Magnolia marketing group, then the user will get the group, but this won't have any consequence on security. This will only have practical consequences if the marketing Magnolia group defined associated roles. However, in such a case, the module is currently not smart enough to look for those roles and give them to the user. |
| Comments |
| Comment by Maxime Michel [ 08/Jul/21 ] |
|
We have fixed this issue using the exact same approach as was done in the SSO Connector. (Thanks jfrantzius for the initial contribution!). However, we have also created a ticket in main in order to open up the API there, and not have to create a TransitiveMgnlUserManager in SsoUserManager. We will therefore be able to replace the implementation at a later time. |