Default-deny access control with group flags and access enumeration

Replaces the implicit "empty allowed_groups means public" rule with
explicit default-deny across both OIDC and ForwardAuth. Adds two boolean
flags on Group — auto_assign (Keycloak-style auto-join on user create)
and admin (members can reach the admin panel) — and drops the
users.admin column entirely. Adds "Users with access" and "Accessible
applications" panels with via-group badges on the application/user show
pages.

BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously
bypassed authentication entirely; it now returns 403 like any other
unauthorized request. The data migration seeds an "everyone" group and
attaches it to all previously group-less apps to preserve behavior on
existing installs. An "admins" group is seeded and backfilled from any
user with the old admin column.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

test/controllers/admin/groups_controller_test.rb

@@ -48,5 +48,23 @@ module Admin
 
       assert_equal [app], Group.find_by(name: "new group").applications
     end
+
+    test "can mark a group as auto_assign and admin" do
+      patch admin_group_path(@group), params: {
+        group: {name: @group.name, auto_assign: "1", admin: "1"}
+      }
+
+      @group.reload
+      assert @group.auto_assign?
+      assert @group.admin?
+    end
+
+    test "cannot delete the last admin group" do
+      admins = groups(:admin_group)
+
+      delete admin_group_path(admins)
+      # Destroy was aborted by the before_destroy guard
+      assert Group.exists?(admins.id), "admin group should not have been deleted"
+    end
   end
 end

test/controllers/admin/users_controller_test.rb

@@ -0,0 +1,69 @@
+require "test_helper"
+
+module Admin
+  class UsersControllerTest < ActionDispatch::IntegrationTest
+    setup do
+      @admin = users(:two) # in admin_group via fixtures
+      sign_in_as(@admin)
+    end
+
+    test "show loads accessible applications via the user's groups" do
+      kavita = applications(:kavita_app)
+      # alice is in admin_group via fixtures; kavita is attached to admin_group via app_groups
+      get admin_user_path(users(:alice))
+      assert_response :success
+      assert_match kavita.name, response.body
+      # The "via" badge mentions the granting group name
+      assert_match groups(:admin_group).name, response.body
+    end
+
+    test "update assigns group memberships from group_ids" do
+      target = users(:bob)
+      editors = groups(:editor_group)
+      one = groups(:one)
+
+      patch admin_user_path(target), params: {
+        user: {email_address: target.email_address, group_ids: [editors.id, one.id]}
+      }
+
+      assert_redirected_to admin_users_path
+      assert_equal [editors, one].sort, target.reload.groups.sort
+    end
+
+    test "cannot remove yourself from the last admin group" do
+      # @admin (users:two) is in admin_group. Removing them via the user form
+      # while no other admin exists is blocked.
+      sole_admin = users(:two)
+      # Strip alice (the other admin) so @admin is the last one.
+      users(:alice).groups.delete(groups(:admin_group))
+
+      patch admin_user_path(sole_admin), params: {
+        user: {email_address: sole_admin.email_address, group_ids: []}
+      }
+
+      assert_response :unprocessable_entity
+      assert sole_admin.reload.admin?, "should still be admin"
+    end
+
+    test "create with auto_assign=0 skips the auto-assign callback" do
+      post admin_users_path, params: {
+        user: {email_address: "restricted@example.com"},
+        auto_assign: "0"
+      }
+
+      assert_response :redirect
+      created = User.find_by(email_address: "restricted@example.com")
+      assert_not_includes created.groups, groups(:everyone)
+    end
+
+    test "create without auto_assign param auto-joins everyone" do
+      post admin_users_path, params: {
+        user: {email_address: "newbie@example.com"}
+      }
+
+      assert_response :redirect
+      created = User.find_by(email_address: "newbie@example.com")
+      assert_includes created.groups, groups(:everyone)
+    end
+  end
+end