Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML groups not fully compatible with Group-folders app #833

Open
jo-krk opened this issue Apr 17, 2024 · 6 comments
Open

SAML groups not fully compatible with Group-folders app #833

jo-krk opened this issue Apr 17, 2024 · 6 comments

Comments

@jo-krk
Copy link

jo-krk commented Apr 17, 2024
edited
Loading

Hi,

I'm not sure if it's a problem of Nextlcloud Server or user_saml app or groupfolders app, but perhaps you could help me to identify that at least. Thanks!

Steps to reproduce

  1. Add user Bob to group group-A in your IDP (In my case: Keycloak)
  2. Login with user Bob to Nextcloud
  3. group-A is now visible for Admins in my-nextcloud.com/index.php/settings/users
  4. Configure 'Group folder' for group-A in my-nextcloud.com/index.php/settings/admin/groupfolders , let's call it group-A-folder
  5. Create new user Alice add them to group group-A in IDP , but do not login with this user yet.
  6. Remove user Bob from group group-A
  7. Logout & login again with user Bob
  8. Group group-A is no longer visible for Admins in my-nextcloud.com/index.php/settings/users , because last active user doesn't belong to it anymore (?)
  9. Check 'Group folders' config (my-nextcloud.com/index.php/settings/admin/groupfolders) group-A-folder is still there, but as group-A is missing - it's assigned to "None" of the groups
  10. Login with user Alice and confirm that user can't see group-A-folder

Expected behaviour

Groups should be preserved even if last active member has left the group.

Actual behaviour

Groups are dropped as soon as last active member doesn't belong to the group anymore, that breaks compatibility with groupfolders app, even though 'External storage' (my-nextcloud.com/index.php/settings/admin/externalstorages) is preserving those groups

Server configuration

Operating system:
Ubuntu 22.04.2 LTS

Web server:
Apache

Database:
Mariadb

PHP version:
8.1

Nextcloud version:
28.0.4

List of activated apps:

Enabled:
  - activity: 2.20.0
  - admin_audit: 1.18.0
  - circles: 28.0.0
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contactsinteraction: 1.9.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - external: 5.3.1
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_external: 1.20.0
  - files_pdfviewer: 2.9.0
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - firstrunwizard: 2.17.0
  - forms: 4.1.1
  - groupfolders: 16.0.6
  - impersonate: 1.15.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - nextcloud_announcements: 1.17.0
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - photos: 2.4.0
  - polls: 7.0.3
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - qownnotesapi: 24.4.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - support: 1.11.1
  - survey_client: 1.16.0
  - systemtags: 1.18.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_saml: 6.1.3
  - user_status: 1.8.1
  - viewer: 2.2.0
  - weather_status: 1.8.0
  - workflowengine: 2.10.0
@blizzz
Copy link
Member

blizzz commented Apr 18, 2024

Groups are intentionally deleted by the SAML backend when they have no member anymore:

https://github.com/nextcloud/user_saml/blob/master/lib/GroupManager.php#L165-L171

@jo-krk
Copy link
Author

jo-krk commented Apr 18, 2024

Thank you for reply @blizzz ,
Could you please suggest solution for situation I described in 'Steps to reproduce' , when user is pre-created but not really used yet ? I don't see how authors of groupfolders can address it, if group is really deleted from everywhere. And I'm even more surprised how 'External storage' kept this information about the groups, even after deletion?

Thanks

@blizzz
Copy link
Member

blizzz commented Apr 29, 2024
edited
Loading

Could you please suggest solution for situation I described in 'Steps to reproduce' , when user is pre-created but not really used yet ?

On the operational side, keep a ghost user inside.

Code-wise, I am tending towards a config flag to keep empty groups and check that setting before deleting them. Perhaps it would be sufficient to have this configurable via CLI only.

And I'm even more surprised how 'External storage' kept this information about the groups, even after deletion?

Yes, that could be an bug report in the server repository.

@marcojarjour marcojarjour mentioned this issue Nov 27, 2024
Open
@marcojarjour
Copy link

Hi there

We also faced this issue and therefore added a config option as a pull request to prevent the removal of a group if user_saml_keep_empty_groups is set to true, which is set to false by default.

@blizzz could you review it?

@blizzz
Copy link
Member

blizzz commented Dec 10, 2024

For the record, done last week :)

@marcojarjour
Copy link

For the record, done last week :)

Thanks, yes i saw it and i am on it to improve it accordingly, just could not find the time to get it done.
At least i got a proper dev setup working.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blizzz @marcojarjour @jo-krk