Conversation
astirpe
force-pushed
the
18_add_auth_user_role
branch
from
96db213 to
f9f973d
Compare
CasVissers-360ERP
left a comment
CasVissers-360ERP
left a comment
There was a problem hiding this comment.
Functional review
| roles_to_add = self._get_mapped_roles(identity_payload) | ||
|
|
||
| existing_lines = self.role_line_ids | ||
| existing_role_ids = set(existing_lines.mapped("role_id").ids) |
There was a problem hiding this comment.
@astirpe In a full sync I would expect also res.groups to be removed since we want a full sync with roles setup for that user.
There was a problem hiding this comment.
@CasVissers-360ERP it's already the case, see this line:
if strict_sync:
self.set_groups_from_roles(force=True)Since "force=True" is passed, Odoo performs the following:
- Calculates all groups implied by the user's current active roles.
- Wipes any groups currently on the user that are not in that calculated list.
- Ensures only the groups defined by the SAML-mapped roles remain.
This scenario is already covered by test_13_strict_sync_removes_native_groups().
There was a problem hiding this comment.
@CasVissers-360ERP In case a user ends up with no roles, here is how set_groups_from_roles() behaves:
The following statement is bypassed, because force is true:
for user in self:
if not user.role_line_ids and not force:
continuehttps://github.com/OCA/server-backend/blob/18.0/base_user_role/models/user.py#L92-L93
In this case:
groups_to_add will be an empty list;
groups_to_remove = list(set(user.groups_id.ids) - set([])). This means every single group the user currently has is flagged for removal;
Odoo executes the (3, ID) commands for all groups_to_remove, so that the user is stripped of all permissions. The user might be able to log in, but they will see a blank screen because they don't even have the basic base.group_user
astirpe
force-pushed
the
18_add_auth_user_role
branch
from
f9f973d to
f59e143
Compare
3 participants
No description provided.