Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
If in LDAP mode, users not being assign a default role at login (#8708)
Currently if using LDAP auth IAM_TYPE, a user might have access to the application to login but no role is assigned to the user. This creates confusion to users as they are not able to perform any actions in CVAT even though they can login. In comparison, this behaviour is not encountered if using the BASIC auth IAM_TYPE, as the `IAM_DEFAULT_ROLE`, is assigned to the user when logs in for the first time. To explain a bit further the flow that we encountered, maintainers of an organization use the email service to invite users to their org, then users click on the email link, login to the application and accept the invite to the organization. Even though they might be even `maintainers` in the organization they cannot perform any action as the rego rules for organization need users to at least have the "worker" role in the application. The same goes for sending invitation to the organization if they have been made `mantainers`. Here the links to the rego files: - https://github.com/cvat-ai/cvat/blob/develop/cvat/apps/organizations/rules/organizations.rego - https://github.com/cvat-ai/cvat/blob/develop/cvat/apps/organizations/rules/invitations.rego ### How has this been tested? Yes, I have a local deployment with LDAP enabled. WIth these changes, if I log in then I get assigned the default role and I can perform actions in the application. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit - **New Features** - Enhanced LDAP user management by refining group assignment logic, ensuring default roles are only assigned to non-superuser and non-staff users. - **Bug Fixes** - Improved control flow for user group assignments to prevent unnecessary role assignments for elevated privilege users. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Rodrigo Agundez <rodrigo.agundez@dyson.com> Co-authored-by: Maria Khrustaleva <maria@cvat.ai>
- Loading branch information