graph: Fix role-id extraction from token

We can't use ReadPlainFromOpaque here since the OpaqueEntry entry is "json" encoded (not "plain"). Fixes: #3893
2026-04-19 16:51:34 -05:00 · 2022-05-30 16:01:43 +02:00
parent d4e0045723
commit 082c66beb7
2 changed files with 11 additions and 3 deletions
--- a/changelog/unreleased/fix-user-autoprovision.md
+++ b/changelog/unreleased/fix-user-autoprovision.md
@@ -0,0 +1,7 @@
+Bugfix: Fix user autoprovisioning
+
+We've fixed the autoprovsioning feature that was introduced in beta2. Due to a bug
+the role assignment of the privileged user that is used to create accounts wasn't
+propagated correctly to the `graph` service.
+
+https://github.com/owncloud/ocis/issues/3893
--- a/extensions/graph/pkg/middleware/auth.go
+++ b/extensions/graph/pkg/middleware/auth.go
@@ -6,7 +6,6 @@ import (
 	"github.com/cs3org/reva/v2/pkg/auth/scope"
 	revactx "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/token/manager/jwt"
-	"github.com/cs3org/reva/v2/pkg/utils"
 	"github.com/owncloud/ocis/v2/extensions/graph/pkg/service/v0/errorcode"
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
 	opkgm "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
@@ -75,8 +74,10 @@ func Auth(opts ...account.Option) func(http.Handler) http.Handler {
 			ctx = revactx.ContextSetToken(ctx, t)
 			ctx = revactx.ContextSetUser(ctx, u)
 			ctx = gmmetadata.Set(ctx, opkgm.AccountID, u.Id.OpaqueId)
-			if role := utils.ReadPlainFromOpaque(u.Opaque, "roles"); role != "" {
-				ctx = gmmetadata.Set(ctx, opkgm.RoleIDs, role)
+			if u.Opaque != nil && u.Opaque.Map != nil {
+				if roles, ok := u.Opaque.Map["roles"]; ok {
+					ctx = gmmetadata.Set(ctx, opkgm.RoleIDs, string(roles.Value))
+				}
 			}
 			ctx = metadata.AppendToOutgoingContext(ctx, revactx.TokenHeader, t)