fixed an idp guest role default assignment

changelog/unreleased/fix-idp-guest-role.md

@@ -0,0 +1,6 @@
+Bugfix: Fix idp guest role default assignment
+
+We fixed an idp guest role default assignment.
+
+https://github.com/owncloud/ocis/pull/10511
+https://github.com/owncloud/ocis/issues/10474

services/proxy/pkg/middleware/create_home.go

@@ -106,6 +106,9 @@ func (m createHome) getUserRoles(user *userv1beta1.User) ([]string, error) {
 }
 
 func (m createHome) checkRoleQuotaLimit(roleIDs []string) (uint64, bool) {
+	if len(roleIDs) == 0 {
+		return 0, false
+	}
 	id := roleIDs[0] // At the moment a user can only have one role.
 	quota, ok := m.roleQuotas[id]
 	return quota, ok

services/proxy/pkg/userroles/defaultrole.go

@@ -43,18 +43,22 @@ func (d defaultRoleAssigner) UpdateUserRoleAssignment(ctx context.Context, user
 			// This user doesn't have a role assignment yet. Assign a
 			// default user role. At least until proper roles are provided. See
 			// https://github.com/owncloud/ocis/issues/1825 for more context.
-			if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
+			if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY || user.Id.Type == cs3.UserType_USER_TYPE_GUEST {
+				roleId := settingsService.BundleUUIDRoleUser
+				if user.Id.Type == cs3.UserType_USER_TYPE_GUEST {
+					roleId = settingsService.BundleUUIDRoleGuest
+				}
 				d.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
 				ctx = metadata.Set(ctx, middleware.AccountID, user.Id.OpaqueId)
 				_, err := d.roleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
 					AccountUuid: user.Id.OpaqueId,
-					RoleId:      settingsService.BundleUUIDRoleUser,
+					RoleId:      roleId,
 				})
 				if err != nil {
 					d.logger.Error().Err(err).Msg("Could not add default role")
 					return nil, err
 				}
-				roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
+				roleIDs = append(roleIDs, roleId)
 			}
 		}
 	}

services/settings/pkg/service/v0/service.go

@@ -380,12 +380,12 @@ func (g Service) AssignRoleToUser(ctx context.Context, req *settingssvc.AssignRo
 
 	switch {
 	case ownAccountUUID == req.AccountUuid:
-		// Allow users to assign themself to the user role
+		// Allow users to assign themself to the user or user light role
 		// deny any other attempt to change	the user's own assignment
 		if r, err := g.manager.ListRoleAssignments(req.AccountUuid); err == nil && len(r) > 0 {
 			return merrors.Forbidden(g.id, "Changing own role assignment forbidden")
 		}
-		if req.RoleId != defaults.BundleUUIDRoleUser {
+		if req.RoleId != defaults.BundleUUIDRoleUser && req.RoleId != defaults.BundleUUIDRoleUserLight {
 			return merrors.Forbidden(g.id, "Changing own role assignment forbidden")
 		}
 		g.logger.Debug().Str("userid", ownAccountUUID).Msg("Self-assignment for default 'user' role permitted")

services/settings/pkg/service/v0/service_test.go

@@ -84,6 +84,15 @@ func TestEditOwnRoleAssignment(t *testing.T) {
 	err := svc.AssignRoleToUser(ctxWithUUID, &req, &res)
 	assert.Nil(t, err)
 
+	// Creating an initial self assignment is expected to succeed for UserLightRole when no assignment exists yet
+	req = v0.AssignRoleToUserRequest{
+		AccountUuid: "61445573-4dbe-4d56-88dc-88ab47aceba7",
+		RoleId:      defaults.BundleUUIDRoleUserLight,
+	}
+	res = v0.AssignRoleToUserResponse{}
+	err = svc.AssignRoleToUser(ctxWithUUID, &req, &res)
+	assert.Nil(t, err)
+
 	// Creating an initial self assignment is expected to fail for non UserRole when no assignment exists yet
 	req = v0.AssignRoleToUserRequest{
 		AccountUuid: "61445573-4dbe-4d56-88dc-88ab47aceba7",