This commit is contained in:
Timothy Jaeryang Baek
2026-03-24 06:21:37 -05:00
parent 6f06b3d5ed
commit 6d7744c219

View File

@@ -1081,21 +1081,30 @@ class OAuthManager:
log.debug(f'Accepted user roles: {oauth_allowed_roles}')
log.debug(f'Accepted admin roles: {oauth_admin_roles}')
# If any roles are found, check if they match the allowed or admin roles
# If roles are present in the token, they must match; otherwise deny access
if oauth_roles:
# If role management is enabled, and matching roles are provided, use the roles
matched = False
for allowed_role in oauth_allowed_roles:
# If the user has any of the allowed roles, assign the role "user"
if allowed_role in oauth_roles:
log.debug('Assigned user the user role')
role = 'user'
matched = True
break
for admin_role in oauth_admin_roles:
# If the user has any of the admin roles, assign the role "admin"
if admin_role in oauth_roles:
log.debug('Assigned user the admin role')
role = 'admin'
matched = True
break
if not matched:
log.warning(
f'OAuth role management enabled but user roles do not match any allowed/admin roles. '
f'User roles: {oauth_roles}, allowed: {oauth_allowed_roles}, admin: {oauth_admin_roles}'
)
raise HTTPException(
status.HTTP_403_FORBIDDEN,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
)
else:
if not user:
# If role management is disabled, use the default role for new users