LDAP - setting user as admin (via objectclass) makes them admin forever - saves the setting into database.

[kubatyszko]

• Gitea version (or commit ref): master
• Git version:
• Operating system: Linux
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

I'm using LDAP authentication with correct user and admin objectClass filters.
When user logs in for the first time, if they match the admin filter - they are set as admin in the database forever.

I would expect it to be always dynamically controlled via LDAP - not using the value stored in DB.

I don't expect to be able to control this using admin interface -> users (that should probably have the "administrator" column greyed out.

I DO see that upon each login the value is being checked with ldap - but not used...

[strk]

Same issue filed on Gogs: gogs/gogs#2855

[strk]

Gogs PR attempting to fix it: gogs/gogs#3062
The PR is a generic SYNC method dealing with the generic LDAP sync issue reported in Gogs on gogs/gogs#1268

Maybe someone wants to complete that PR and port to Gitea ?
\cc @ptman

[strk]

@lunny milestone should probably not be 1.x.x (1.2.0 or later, I'd think)

[DblK]

Also mentioned in the PR #1478

[ptman]

Btw, is it possible to determine admin-privilege using group membership instead of objectclass? There might not be a suitable objectclass and active directory and freeipa don't really recommend extending the schema

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.