From 3a060331f7180f7c5b6332df0d5f24f5f2e31fa5 Mon Sep 17 00:00:00 2001
From: Roman Perekhod <rperekhod@owncloud.com>
Date: Thu, 7 Nov 2024 17:51:49 +0100
Subject: [PATCH] fixed an idp guest role default assignment

---
 changelog/unreleased/fix-idp-guest-role.md       |  6 ++++++
 services/proxy/pkg/middleware/create_home.go     |  3 +++
 services/proxy/pkg/userroles/defaultrole.go      | 10 +++++++---
 services/settings/pkg/service/v0/service.go      |  4 ++--
 services/settings/pkg/service/v0/service_test.go |  9 +++++++++
 5 files changed, 27 insertions(+), 5 deletions(-)
 create mode 100644 changelog/unreleased/fix-idp-guest-role.md

diff --git a/changelog/unreleased/fix-idp-guest-role.md b/changelog/unreleased/fix-idp-guest-role.md
new file mode 100644
index 0000000000..a5cde83116
--- /dev/null
+++ b/changelog/unreleased/fix-idp-guest-role.md
@@ -0,0 +1,6 @@
+Bugfix: Fix idp guest role default assignment
+
+We fixed an idp guest role default assignment.
+
+https://github.com/owncloud/ocis/pull/10511
+https://github.com/owncloud/ocis/issues/10474
diff --git a/services/proxy/pkg/middleware/create_home.go b/services/proxy/pkg/middleware/create_home.go
index 203f4d84ac..e1327d2d19 100644
--- a/services/proxy/pkg/middleware/create_home.go
+++ b/services/proxy/pkg/middleware/create_home.go
@@ -106,6 +106,9 @@ func (m createHome) getUserRoles(user *userv1beta1.User) ([]string, error) {
 }
 
 func (m createHome) checkRoleQuotaLimit(roleIDs []string) (uint64, bool) {
+	if len(roleIDs) == 0 {
+		return 0, false
+	}
 	id := roleIDs[0] // At the moment a user can only have one role.
 	quota, ok := m.roleQuotas[id]
 	return quota, ok
diff --git a/services/proxy/pkg/userroles/defaultrole.go b/services/proxy/pkg/userroles/defaultrole.go
index 29125177f0..1136097ddd 100644
--- a/services/proxy/pkg/userroles/defaultrole.go
+++ b/services/proxy/pkg/userroles/defaultrole.go
@@ -43,18 +43,22 @@ func (d defaultRoleAssigner) UpdateUserRoleAssignment(ctx context.Context, user
 			// This user doesn't have a role assignment yet. Assign a
 			// default user role. At least until proper roles are provided. See
 			// https://github.com/owncloud/ocis/issues/1825 for more context.
-			if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY {
+			if user.Id.Type == cs3.UserType_USER_TYPE_PRIMARY || user.Id.Type == cs3.UserType_USER_TYPE_GUEST {
+				roleId := settingsService.BundleUUIDRoleUser
+				if user.Id.Type == cs3.UserType_USER_TYPE_GUEST {
+					roleId = settingsService.BundleUUIDRoleGuest
+				}
 				d.logger.Info().Str("userid", user.Id.OpaqueId).Msg("user has no role assigned, assigning default user role")
 				ctx = metadata.Set(ctx, middleware.AccountID, user.Id.OpaqueId)
 				_, err := d.roleService.AssignRoleToUser(ctx, &settingssvc.AssignRoleToUserRequest{
 					AccountUuid: user.Id.OpaqueId,
-					RoleId:      settingsService.BundleUUIDRoleUser,
+					RoleId:      roleId,
 				})
 				if err != nil {
 					d.logger.Error().Err(err).Msg("Could not add default role")
 					return nil, err
 				}
-				roleIDs = append(roleIDs, settingsService.BundleUUIDRoleUser)
+				roleIDs = append(roleIDs, roleId)
 			}
 		}
 	}
diff --git a/services/settings/pkg/service/v0/service.go b/services/settings/pkg/service/v0/service.go
index f531316513..97ffea318b 100644
--- a/services/settings/pkg/service/v0/service.go
+++ b/services/settings/pkg/service/v0/service.go
@@ -380,12 +380,12 @@ func (g Service) AssignRoleToUser(ctx context.Context, req *settingssvc.AssignRo
 
 	switch {
 	case ownAccountUUID == req.AccountUuid:
-		// Allow users to assign themself to the user role
+		// Allow users to assign themself to the user or user light role
 		// deny any other attempt to change	the user's own assignment
 		if r, err := g.manager.ListRoleAssignments(req.AccountUuid); err == nil && len(r) > 0 {
 			return merrors.Forbidden(g.id, "Changing own role assignment forbidden")
 		}
-		if req.RoleId != defaults.BundleUUIDRoleUser {
+		if req.RoleId != defaults.BundleUUIDRoleUser && req.RoleId != defaults.BundleUUIDRoleUserLight {
 			return merrors.Forbidden(g.id, "Changing own role assignment forbidden")
 		}
 		g.logger.Debug().Str("userid", ownAccountUUID).Msg("Self-assignment for default 'user' role permitted")
diff --git a/services/settings/pkg/service/v0/service_test.go b/services/settings/pkg/service/v0/service_test.go
index 34ee83e912..41a48e11c8 100644
--- a/services/settings/pkg/service/v0/service_test.go
+++ b/services/settings/pkg/service/v0/service_test.go
@@ -84,6 +84,15 @@ func TestEditOwnRoleAssignment(t *testing.T) {
 	err := svc.AssignRoleToUser(ctxWithUUID, &req, &res)
 	assert.Nil(t, err)
 
+	// Creating an initial self assignment is expected to succeed for UserLightRole when no assignment exists yet
+	req = v0.AssignRoleToUserRequest{
+		AccountUuid: "61445573-4dbe-4d56-88dc-88ab47aceba7",
+		RoleId:      defaults.BundleUUIDRoleUserLight,
+	}
+	res = v0.AssignRoleToUserResponse{}
+	err = svc.AssignRoleToUser(ctxWithUUID, &req, &res)
+	assert.Nil(t, err)
+
 	// Creating an initial self assignment is expected to fail for non UserRole when no assignment exists yet
 	req = v0.AssignRoleToUserRequest{
 		AccountUuid: "61445573-4dbe-4d56-88dc-88ab47aceba7",