From 6abf38dd3a6535ac9052e69de9573d66ae107c17 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Tue, 15 Mar 2022 17:25:54 +0100
Subject: [PATCH] Fix CreateHome for external users

External users, when logging in for the first time, have no role
assigned and are unable to create their home because that requires the
create-space permission. This assigns users that don't have a role assigned
to the default user role and persists that assignment in the settings
service so that CreateHome can pick it up when checking permissions
later.

This also disables the auto creation of the user's home in the reva
auth provider (i.e. when using basic auth) as the role assignement has
not happenend at that point. So the home creation will now always happen
in the CreateHome middleware in the proxy.
---
 proxy/pkg/user/backend/cs3.go                | 18 ++++++++++++++----
 storage/pkg/config/defaults/defaultconfig.go |  2 +-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/proxy/pkg/user/backend/cs3.go b/proxy/pkg/user/backend/cs3.go
index e754760b99f..cc423ca6e95 100644
--- a/proxy/pkg/user/backend/cs3.go
+++ b/proxy/pkg/user/backend/cs3.go
@@ -61,11 +61,21 @@ func (c *cs3backend) GetUserByClaims(ctx context.Context, claim, value string, w
 		}
 	}
 
+	// if roles are empty, assume we haven't seen the user before and assign a
+	// default user role. At least until proper roles are provided. See
+	// https://github.com/owncloud/ocis/issues/1825 for more context.
 	if len(roleIDs) == 0 {
-		roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser, settingsService.SelfManagementPermissionID)
-		// if roles are empty, assume we haven't seen the user before and assign a default user role. At least until
-		// proper roles are provided. See https://github.com/owncloud/ocis/issues/1825 for more context.
-		//return user, nil
+		if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
+			c.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
+			_, err := c.settingsRoleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
+				AccountUuid: user.Id.OpaqueId,
+				RoleId:      settingsService.BundleUUIDRoleUser,
+			})
+			if err != nil {
+				c.logger.Error().Err(err).Msg("Could not add default role")
+			}
+			roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
+		}
 	}
 
 	enc, err := encodeRoleIDs(roleIDs)
diff --git a/storage/pkg/config/defaults/defaultconfig.go b/storage/pkg/config/defaults/defaultconfig.go
index 142b05db7ff..7d21b8dd0f2 100644
--- a/storage/pkg/config/defaults/defaultconfig.go
+++ b/storage/pkg/config/defaults/defaultconfig.go
@@ -266,7 +266,7 @@ func DefaultConfig() *config.Config {
 				},
 				CommitShareToStorageGrant:  true,
 				CommitShareToStorageRef:    true,
-				DisableHomeCreationOnLogin: false,
+				DisableHomeCreationOnLogin: true,
 				ShareFolder:                "Shares",
 				LinkGrants:                 "",
 				HomeMapping:                "",