clinch

dkam/clinch

Fork 0

Commit Graph

Author	SHA1	Message	Date
Dan Milne	aa5736ddab	Update gems and fix lint to clear CI failures Bumps dependencies (jwt 3.2.0, puma 8.0.2, net-imap 0.6.4.1 and others via bundle update) to resolve bundler-audit advisories, and applies standardrb autofixes so the lint job passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-21 13:51:23 +10:00
Dan Milne	03dfdbd83a	Default-deny access control with group flags and access enumeration Some checks failed CI / scan_ruby (push) Has been cancelled Details CI / scan_js (push) Has been cancelled Details CI / scan_container (push) Has been cancelled Details CI / lint (push) Has been cancelled Details CI / test (push) Has been cancelled Details CI / system-test (push) Has been cancelled Details Replaces the implicit "empty allowed_groups means public" rule with explicit default-deny across both OIDC and ForwardAuth. Adds two boolean flags on Group — auto_assign (Keycloak-style auto-join on user create) and admin (members can reach the admin panel) — and drops the users.admin column entirely. Adds "Users with access" and "Accessible applications" panels with via-group badges on the application/user show pages. BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously bypassed authentication entirely; it now returns 403 like any other unauthorized request. The data migration seeds an "everyone" group and attaches it to all previously group-less apps to preserve behavior on existing installs. An "admins" group is seeded and backfilled from any user with the old admin column. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-07 15:53:27 +10:00
Dan Milne	a399907dfd	Allow assigning applications to a group from the group form Adds an "Assigned Applications" checkbox list to the group new/edit form so admins can grant a group access to multiple apps from one screen, instead of editing each application individually. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-28 21:17:43 +10:00

Author

SHA1

Message

Date

Dan Milne

aa5736ddab

Update gems and fix lint to clear CI failures

Bumps dependencies (jwt 3.2.0, puma 8.0.2, net-imap 0.6.4.1 and others
via bundle update) to resolve bundler-audit advisories, and applies
standardrb autofixes so the lint job passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-21 13:51:23 +10:00

Dan Milne

03dfdbd83a

Default-deny access control with group flags and access enumeration

CI / scan_ruby (push) Has been cancelled

Details

CI / scan_js (push) Has been cancelled

Details

CI / scan_container (push) Has been cancelled

Details

CI / lint (push) Has been cancelled

Details

CI / test (push) Has been cancelled

Details

CI / system-test (push) Has been cancelled

Details

Replaces the implicit "empty allowed_groups means public" rule with
explicit default-deny across both OIDC and ForwardAuth. Adds two boolean
flags on Group — auto_assign (Keycloak-style auto-join on user create)
and admin (members can reach the admin panel) — and drops the
users.admin column entirely. Adds "Users with access" and "Accessible
applications" panels with via-group badges on the application/user show
pages.

BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously
bypassed authentication entirely; it now returns 403 like any other
unauthorized request. The data migration seeds an "everyone" group and
attaches it to all previously group-less apps to preserve behavior on
existing installs. An "admins" group is seeded and backfilled from any
user with the old admin column.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-06-07 15:53:27 +10:00

Dan Milne

a399907dfd

Allow assigning applications to a group from the group form

Adds an "Assigned Applications" checkbox list to the group new/edit
form so admins can grant a group access to multiple apps from one
screen, instead of editing each application individually.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-28 21:17:43 +10:00

3 Commits