03dfdbd83a
Some checks failed
Replaces the implicit "empty allowed_groups means public" rule with explicit default-deny across both OIDC and ForwardAuth. Adds two boolean flags on Group — auto_assign (Keycloak-style auto-join on user create) and admin (members can reach the admin panel) — and drops the users.admin column entirely. Adds "Users with access" and "Accessible applications" panels with via-group badges on the application/user show pages. BEHAVIOR CHANGE: a ForwardAuth app with no allowed_groups previously bypassed authentication entirely; it now returns 403 like any other unauthorized request. The data migration seeds an "everyone" group and attaches it to all previously group-less apps to preserve behavior on existing installs. An "admins" group is seeded and backfilled from any user with the old admin column. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
29 lines
905 B
Ruby
29 lines
905 B
Ruby
module SessionTestHelper
|
|
def sign_in_as(user)
|
|
Current.session = user.sessions.create!
|
|
|
|
ActionDispatch::TestRequest.create.cookie_jar.tap do |cookie_jar|
|
|
cookie_jar.signed[:session_id] = Current.session.id
|
|
cookies["session_id"] = cookie_jar[:session_id]
|
|
end
|
|
end
|
|
|
|
def sign_out
|
|
Current.session&.destroy!
|
|
cookies.delete("session_id")
|
|
end
|
|
|
|
# Attach the auto-assign "everyone" group to the given app so existing tests
|
|
# written under the old "empty allowed_groups = public" rule keep working.
|
|
# New tests should attach groups explicitly to model real access intent.
|
|
def grant_everyone_access(app)
|
|
everyone = (groups(:everyone) rescue Group.find_by(auto_assign: true))
|
|
app.allowed_groups << everyone unless app.allowed_groups.include?(everyone)
|
|
app
|
|
end
|
|
end
|
|
|
|
ActiveSupport.on_load(:action_dispatch_integration_test) do
|
|
include SessionTestHelper
|
|
end
|