Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-09-24 17:51:14 +02:00
Code Issues Projects Releases Wiki Activity

fix: users managed by SCIM should not get their name updated

Browse Source
This commit is contained in:
Gastón Fournier 2025-09-22 17:16:23 +02:00
parent 7cec4d6923
commit e74ac423c6
No known key found for this signature in database
GPG Key ID: AF45428626E17A8E
2 changed files with 176 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/lib/services/user-service.ts
View File

@ -506,9 +506,30 @@ export class UserService {
try { try {
user = await this.store.getByQuery({ email }); user = await this.store.getByQuery({ email });
// Update user if autCreate is enabled. // Update user if not managed by scim
if (name && user.name !== name) { if (name && user.name !== name && !user.scimId) {
user = await this.store.update(user.id, { name, email }); const currentRole = await this.accessService.getRootRoleForUser(
user.id,
);
const updatedUser = await this.store.update(user.id, {
name,
email,
});
await this.eventService.storeEvent(
new UserUpdatedEvent({
auditUser: SYSTEM_USER_AUDIT,
preUser: {
...user,
rootRole: currentRole.id,
},
postUser: {
...updatedUser,
rootRole: currentRole.id,
},
}),
);
user = { ...user, ...updatedUser };
} }
} catch (e) { } catch (e) {
// User does not exists. Create if 'autoCreate' is enabled // User does not exists. Create if 'autoCreate' is enabled

36
src/test/e2e/services/user-service.e2e.test.ts
View File

@ -435,6 +435,7 @@ test('updating a user without an email should not strip the email', async () =>
expect(updatedUser.email).toBe(email); expect(updatedUser.email).toBe(email);
}); });
describe('loginUserSSO', () => {
test('should login and create user via SSO', async () => { test('should login and create user via SSO', async () => {
const recordedEvents: Array<{ loginOrder: number }> = []; const recordedEvents: Array<{ loginOrder: number }> = [];
eventBus.on(USER_LOGIN, (data) => { eventBus.on(USER_LOGIN, (data) => {
@ -494,6 +495,11 @@ test('should update user name when signing in via SSO', async () => {
expect(actualUser.email).toBe(email); expect(actualUser.email).toBe(email);
expect(actualUser.name).toBe('New name!'); expect(actualUser.name).toBe('New name!');
expect(actualUser.rootRole).toBe(viewerRole.id); expect(actualUser.rootRole).toBe(viewerRole.id);
const { events } = await eventService.getEvents();
const updateEvent = events.find(
(e) => e.data.id === originalUser.id && e.data.name === 'New name!',
);
expect(updateEvent).toBeDefined();
}); });
test('should update name if it is different via SSO', async () => { test('should update name if it is different via SSO', async () => {
@ -572,6 +578,36 @@ test('should support a custom root role id when logging in and creating user via
expect(permissions[0].permission).toBe(CREATE_ADDON); expect(permissions[0].permission).toBe(CREATE_ADDON);
}); });
test(`should not update the username if managed by SCIM`, async () => {
const email = 'test-1@getunleash.io';
const originalName = 'Original Name';
const name = 'Updated Name';
const createdUser = await userStore.insert({
name: originalName,
username: 'random-1234',
email,
});
await db
.rawDatabase('users')
.update({
scim_id: '123',
})
.where({ id: createdUser.id });
const user = await userService.loginUserSSO({
email,
autoCreate: true,
name,
});
expect(user.name).toBe(originalName);
// Fetch the user directly from the store to verify
const storedUser = await userStore.get(user.id);
expect(storedUser!.name).toBe(originalName);
});
});
describe('Should not be able to use any of previous 5 passwords', () => { describe('Should not be able to use any of previous 5 passwords', () => {
test('throws exception when trying to use a previously used password', async () => { test('throws exception when trying to use a previously used password', async () => {
const name = 'same-password-is-not-allowed'; const name = 'same-password-is-not-allowed';