fix(oauth2): not respecting claims before second login (#37874)

fixes defect where claims where only applies on login but not during account linking making only the second login take them into account fixes: https://github.com/go-gitea/gitea/issues/32566
2026-06-14 03:29:55 +00:00 · 2026-06-03 18:50:47 +02:00
parent 623bb81bb9
commit 735e940a61
3 changed files with 196 additions and 23 deletions
@@ -188,10 +188,6 @@ func SignInOAuthCallback(ctx *context.Context) {

 			source := authSource.Cfg.(*oauth2.Source)

-			isAdmin, isRestricted := getUserAdminAndRestrictedFromGroupClaims(source, &gothUser)
-			u.IsAdmin = isAdmin.ValueOrDefault(user_service.UpdateOptionField[bool]{FieldValue: false}).FieldValue
-			u.IsRestricted = isRestricted.ValueOrDefault(setting.Service.DefaultUserIsRestricted)
-
 			linkAccountData := &LinkAccountData{authSource.ID, gothUser}
 			if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingDisabled {
 				linkAccountData = nil
@@ -373,9 +369,6 @@ func handleOAuth2SignIn(ctx *context.Context, authSource *auth.Source, u *user_m
 		opts.IsActive = optional.Some(true)
 	}

-	// Update GroupClaims
-	opts.IsAdmin, opts.IsRestricted = getUserAdminAndRestrictedFromGroupClaims(oauth2Source, &gothUser)
-
 	if oauth2Source.GroupTeamMap != "" || oauth2Source.GroupTeamMapRemoval {
 		if err := source_service.SyncGroupsToTeams(ctx, u, groups, groupTeamMapping, oauth2Source.GroupTeamMapRemoval); err != nil {
 			ctx.ServerError("SyncGroupsToTeams", err)
@@ -14,6 +14,7 @@ import (
 	asymkey_service "gitea.dev/services/asymkey"
 	"gitea.dev/services/auth/source/oauth2"
 	"gitea.dev/services/context"
+	user_service "gitea.dev/services/user"

 	"github.com/markbates/goth"
 )
@@ -50,6 +51,14 @@ func oauth2SignInSync(ctx *context.Context, authSourceID int64, u *user_model.Us
 		}
 	}

+	// sync user flags (admin/restricted)
+	isAdmin, isRestricted := getUserAdminAndRestrictedFromGroupClaims(oauth2Source, &gothUser)
+	if isAdmin.Has() || isRestricted.Has() {
+		if err = user_service.UpdateUser(ctx, u, &user_service.UpdateOptions{IsAdmin: isAdmin, IsRestricted: isRestricted}); err != nil {
+			log.Error("Unable to sync OAuth2 user admin or restricted status %s: %v", gothUser.Provider, err)
+		}
+	}
+
 	err = oauth2UpdateSSHPubIfNeed(ctx, authSource, &gothUser, u)
 	if err != nil {
 		log.Error("Unable to sync OAuth2 SSH public key %s: %v", gothUser.Provider, err)