diff --git a/CHANGELOG.md b/CHANGELOG.md index 435686d685d14..c6d49ffa34993 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 0.43.4-0.1.1 (upcoming) + +* [ROCK-8674] Sync correctly Administrators group + ## 0.43.4-0.1.0 (2022-10-07) * [ROCK-7390] Update metabase to 0.43 diff --git a/src/metabase/stratio/auth.clj b/src/metabase/stratio/auth.clj index 2d9824038ece7..975954571edb5 100644 --- a/src/metabase/stratio/auth.clj +++ b/src/metabase/stratio/auth.clj @@ -39,10 +39,11 @@ (contains? (set groups) admin-group)) (defn- effective-groups - [groups] - (if whitelist-disabled? - (set groups) - (set/intersection (set groups) whitelist))) + [groups superuser?] + (cond-> (set groups) + whitelist-enabled? (set/intersection whitelist) + true (disj group/admin-group-name) ;; prevent a SSO "Administrators" group to trigger admin status + superuser? (conj group/admin-group-name))) (defn- allowed-user [{:keys [user groups error]}] @@ -83,21 +84,21 @@ (log/error "Could not create and sync groups. Error:" (st.util/stack-trace e))))) (defn- fetch-or-create-user! - [{first_name :first_name {groups :groups} :login_attributes, :as allowed-user}] + [{first_name :first_name {groups :groups} :login_attributes superuser? :is_superuser, :as allowed-user}] (or (if-let [user-in-db (db/select-one [User :id :last_login :is_superuser] :first_name first_name)] (do ;; Check if superuser status has changed and update if necessary (if (or (apply not= (map :is_superuser [user-in-db allowed-user])) (apply not= (map :login_attributes [user-in-db allowed-user]))) (db/update! User (:id user-in-db) - :is_superuser (:is_superuser allowed-user) + :is_superuser superuser? :login_attributes (:login_attributes allowed-user))) (if create-and-sync-groups? - (create-and-sync-groups! (:id user-in-db) (effective-groups groups))) + (create-and-sync-groups! (:id user-in-db) (effective-groups groups superuser?))) user-in-db)) (let [user-inserted (insert-new-user! allowed-user)] (if create-and-sync-groups? - (create-and-sync-groups! (:id user-inserted) (effective-groups groups))) + (create-and-sync-groups! (:id user-inserted) (effective-groups groups superuser?))) user-inserted))) (defn create-session-from-headers!