Default-deny access control with group flags and access enumeration
Some checks failed
Some checks failed
Replaces the implicit "empty allowed_groups means public" rule with explicit default-deny across both OIDC and ForwardAuth. Adds two boolean flags on Group — auto_assign (Keycloak-style auto-join on user create) and admin (members can reach the admin panel) — and drops the users.admin column entirely. Adds "Users with access" and "Accessible applications" panels with via-group badges on the application/user show pages. BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously bypassed authentication entirely; it now returns 403 like any other unauthorized request. The data migration seeds an "everyone" group and attaches it to all previously group-less apps to preserve behavior on existing installs. An "admins" group is seeded and backfilled from any user with the old admin column. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -15,6 +15,11 @@ class Group < ApplicationRecord
|
||||
normalizes :name, with: ->(name) { name.strip.downcase }
|
||||
validate :no_reserved_claim_names
|
||||
|
||||
scope :auto_assign, -> { where(auto_assign: true) }
|
||||
scope :admin, -> { where(admin: true) }
|
||||
|
||||
before_destroy :ensure_other_admin_group_exists
|
||||
|
||||
# Parse custom_claims JSON field
|
||||
def parsed_custom_claims
|
||||
return {} if custom_claims.blank?
|
||||
@@ -23,6 +28,13 @@ class Group < ApplicationRecord
|
||||
|
||||
private
|
||||
|
||||
def ensure_other_admin_group_exists
|
||||
return unless admin?
|
||||
return if Group.where(admin: true).where.not(id: id).exists?
|
||||
errors.add(:base, "cannot delete the last administrators group")
|
||||
throw :abort
|
||||
end
|
||||
|
||||
def no_reserved_claim_names
|
||||
return if custom_claims.blank?
|
||||
|
||||
|
||||
Reference in New Issue
Block a user