[permissions] Fix user is assigned default role after SSO sign-in (#11023)

When logging using a SSO method, we call signInUp service in which we were wrongfully assigning a role to the user even if the user is signing in and not signin up. This went unnoticed during our QA as a different sign-in method is called when logging with the credentials. --------- Co-authored-by: Weiko <corentin@twenty.com>
2025-03-19 14:14:45 +01:00
parent 8c5335a863
commit 69b3b34859
2 changed files with 55 additions and 10 deletions
--- a/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.spec.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.spec.ts
@ -366,7 +366,7 @@ describe('SignInUpService', () => {
    expect(WorkspaceRepository.save).toHaveBeenCalled();
  });

-  it('should assign default role when permissions are enabled', async () => {
+  it('should not assign default role when permissions are enabled and user exists', async () => {
    const params: SignInUpBaseParams &
      ExistingUserOrPartialUserWithPicture &
      AuthProviderWithPasswordType = {
@ -392,6 +392,49 @@ describe('SignInUpService', () => {

    await service.signInUp(params);

+    expect(params.workspace).toBeDefined();
+    expect(userRoleService.assignRoleToUserWorkspace).not.toHaveBeenCalled();
+  });
+
+  it('should assign default role when permissions are enabled and user does not exist', async () => {
+    const params: SignInUpBaseParams &
+      ExistingUserOrPartialUserWithPicture &
+      AuthProviderWithPasswordType = {
+      workspace: {
+        id: 'workspaceId',
+        defaultRoleId: 'defaultRoleId',
+        activationStatus: WorkspaceActivationStatus.ACTIVE,
+      } as Workspace,
+      authParams: { provider: 'password', password: 'validPassword' },
+      userData: {
+        type: 'newUserWithPicture',
+        newUserWithPicture: {
+          email: 'newuser@example.com',
+          picture: 'pictureUrl',
+        },
+      },
+    };
+
+    const mockUserWorkspace = { id: 'userWorkspaceId' };
+
+    jest.spyOn(featureFlagService, 'isFeatureEnabled').mockResolvedValue(true);
+
+    jest.spyOn(fileUploadService, 'uploadImage').mockResolvedValue({
+      id: '',
+      mimeType: '',
+      paths: ['path/to/image'],
+    });
+    jest.spyOn(UserRepository, 'create').mockReturnValue({} as User);
+    jest
+      .spyOn(UserRepository, 'save')
+      .mockResolvedValue({ id: 'newUserId' } as User);
+    jest.spyOn(userWorkspaceService, 'addUserToWorkspace').mockResolvedValue({
+      user: {} as User,
+      userWorkspace: mockUserWorkspace as UserWorkspace,
+    });
+
+    await service.signInUp(params);
+
    expect(params.workspace).toBeDefined();
    expect(userRoleService.assignRoleToUserWorkspace).toHaveBeenCalledWith({
      workspaceId: params.workspace!.id,
--- a/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.ts
+++ b/packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.ts
@ -243,16 +243,18 @@ export class SignInUpService {

    const user = Object.assign(currentUser, updatedUser);

-    if (params.userData.type === 'newUserWithPicture') {
-      await this.activateOnboardingForUser(user, params.workspace);
-    }
+    const isSignUp = params.userData.type === 'newUserWithPicture';

-    if (params.workspace.defaultRoleId) {
-      await this.userRoleService.assignRoleToUserWorkspace({
-        workspaceId: params.workspace.id,
-        userWorkspaceId: userWorkspace.id,
-        roleId: params.workspace.defaultRoleId,
-      });
+    if (isSignUp) {
+      await this.activateOnboardingForUser(user, params.workspace);
+
+      if (params.workspace.defaultRoleId) {
+        await this.userRoleService.assignRoleToUserWorkspace({
+          workspaceId: params.workspace.id,
+          userWorkspaceId: userWorkspace.id,
+          roleId: params.workspace.defaultRoleId,
+        });
+      }
    }

    return user;