From 8cd50d56844bc525d026303896b7d77000568b74 Mon Sep 17 00:00:00 2001
From: Denis Arnst <git@sapd.eu>
Date: Fri, 29 Mar 2024 14:51:34 +0100
Subject: [PATCH] OpenID: Don't downgrade root

---
 server/Auth.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/server/Auth.js b/server/Auth.js
index e14348c7..59f32d7e 100644
--- a/server/Auth.js
+++ b/server/Auth.js
@@ -220,6 +220,16 @@ async setUserGroup(user, userinfo) {
 
   let userType = rolesInOrderOfPriority.find(role => groupsList.includes(role))
   if (userType) {
+    if (user.type === 'root') {
+      // Check OpenID Group
+      if (userType !== 'admin') {
+        throw new Error(`Root user "${user.username}" cannot be downgraded to ${userType}. Denying login.`)
+      } else {
+        // If root user is logging in via OpenID, we will not change the type
+        return
+      }
+    }
+
     Logger.debug(`[Auth] openid callback: Setting user ${user.username} type to ${userType}`)
 
     if (user.type !== userType) {
@@ -239,7 +249,7 @@ async updateUserPermissions(user, userinfo) {
   if (!absPermissionsClaim) // No advanced permissions claim configured, don't set anything
     return
 
-  if (user.type === 'admin')
+  if (user.type === 'admin' || user.type === 'root')
     return
 
   const absPermissions = userinfo[absPermissionsClaim]