Open
Description
Bug Report
Problematic behavior
When an access is deleted, we make a call to the collaboration server to disconnect the related user:
CollaborationService().reset_connections(
str(instance.document.id), str(instance.user.id)
)
This code is forgetting the fact that an access can be related to a team....
Expected behavior/code
When deleting an access related to a team, all users in the team should be disconnected from the collaboration server.
Note that this bug does not manifest itself in production because we don't make use of team accesses yet.
Possible Solution
Getting the list of users for a team and disconnecting them one by one does not seem to be a good solution and would be fragile.
I would say it is much safer and simpler to disconnect every body and let the users who still have access reconnect...
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
No status
Milestone
Relationships
Development
No branches or pull requests
Activity
rielzzapps commentedon May 15, 2025
In the non-production server, when you add a team, does it effectively add all users one by one?
Or, should the authorisation server understand that this is a team and that the current user has access because it is a member of that team?
In the last case, it would work much more as I would expect. Also, in the case of adding users to a team, then these users automatically get access to all those files, which is again, what one would expect?
sampaccoud commentedon May 15, 2025
Hi @rielzzapps! the way it works is that Docs relies on an external service to get teams for a given user. Any access right can be given to a team the same way it is given to a user and when it is, all the users who are in the team will get this access right. This way we don't duplicate team definitions in every application of the OIDC federation.
We have not implemented it yet but everything is ready in the backend. The method to get the properties for a user is here and returns an empty list for the moment: https://github.com/suitenumerique/docs/blob/main/src/backend/core/models.py#L342
We want it to work with several team definition services and have included one in https://github.com/suitenumerique/people. Teams will be fetched following the SCIM standard representation and using OIDC resource server for authentication.
@qbey is currently working on it and can maybe give us more details.