Merge pull request #4610 from gulyasgergely902/sync-group-permissions

bruntib · web-flow · commit 67eaa562bd5f · 2025-07-09T11:02:47.000+02:00
[feat] Sync group permissions with login provider to prevent out-of-sync groups.
diff --git a/web/server/codechecker_server/session_manager.py b/web/server/codechecker_server/session_manager.py
@@ -592,7 +592,7 @@ def __try_personal_access_token(self, auth_string):
 
         return {
             'username': personal_access_token.user_name,
-            'groups': personal_access_token.groups
+            'groups': str(personal_access_token.groups).split(";")
         }
 
     def __try_auth_dictionary(self, auth_string):
@@ -616,6 +616,8 @@ def __try_auth_dictionary(self, auth_string):
             'groups' in method_config and \
             username in method_config['groups'] else []
 
+        self.__update_personal_access_token_groups(username, group_list)
+
         return {
             'username': username,
             'groups': group_list
@@ -648,10 +650,39 @@ def __try_auth_ldap(self, auth_string):
                 if cc_ldap.auth_user(ldap_conf, username, password):
                     groups = cc_ldap.get_groups(ldap_conf, username, password)
                     self.__update_groups(username, groups)
+                    self.__update_personal_access_token_groups(
+                        username,
+                        groups
+                    )
                     return {'username': username, 'groups': groups}
 
         return False
 
+    def __update_personal_access_token_groups(self, user_name, groups):
+        """
+        Update the groups assigned to a personal access token.
+        """
+        if not self.__database_connection:
+            return None
+
+        transaction = None
+        try:
+            transaction = self.__database_connection()
+            transaction.query(PersonalAccessToken) \
+                .filter(PersonalAccessToken.user_name == user_name) \
+                .update({PersonalAccessToken.groups: ';'.join(groups)})
+            transaction.commit()
+            return True
+        except Exception as e:
+            LOG.error(
+                f"Couldn't find personal access token for user "
+                f"{user_name}: {str(e)}")
+        finally:
+            if transaction:
+                transaction.close()
+
+        return False
+
     def __update_groups(self, user_name, groups):
         """
         Updates group field of the users tokens.
@@ -839,6 +870,8 @@ def create_session_oauth(self, provider: str,
 
         self.__sessions.append(local_session)
 
+        self.__update_personal_access_token_groups(username, groups)
+
         # Store the session in the database.
         transaction = None
         if self.__database_connection:
