From 36e24930bef06c31b7607f2f30fe10f5141fc158 Mon Sep 17 00:00:00 2001
From: Ben Hardill <ben@flowforge.com>
Date: Mon, 22 Jul 2024 17:36:16 +0100
Subject: [PATCH] Allow admin to be set from SSO group

fixes #4085
---
 forge/ee/lib/sso/index.js | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/forge/ee/lib/sso/index.js b/forge/ee/lib/sso/index.js
index 2a110d8c87..fa57bb94c1 100644
--- a/forge/ee/lib/sso/index.js
+++ b/forge/ee/lib/sso/index.js
@@ -302,6 +302,7 @@ module.exports.init = async function (app) {
             if (!Array.isArray(groupAssertions)) {
                 groupAssertions = [groupAssertions]
             }
+            let adminGroup = false
             const desiredTeamMemberships = {}
             groupAssertions.forEach(ga => {
                 // Parse the group name - format: 'ff-SLUG-ROLE'
@@ -321,10 +322,24 @@ module.exports.init = async function (app) {
                             // ensure we keep the highest level of access
                             desiredTeamMemberships[teamSlug] = Math.max(desiredTeamMemberships[teamSlug] || 0, teamRole)
                         }
+                    } else if (teamRole === Roles.Admin) {
+                        adminGroup = true
                     }
                 }
             })
 
+            if (user.admin && !adminGroup) {
+                if (!Object.hasOwn(desiredTeamMemberships, 'admin')) {
+                    app.auditLog.User.user.updatedUser(0, null, [{ key: 'admin', old: true, new: false }], user)
+                    user.admin = false
+                    await user.save()
+                }
+            } else if (adminGroup && !user.admin) {
+                app.auditLog.User.user.updatedUser(0, null, [{ key: 'admin', old: false, new: true }], user)
+                user.admin = true
+                await user.save()
+            }
+
             // Get the existing memberships and generate a slug->membership object (existingMemberships)
             const existingMemberships = {}
             ;((await user.getTeamMemberships(true)) || []).forEach(membership => {
@@ -355,8 +370,6 @@ module.exports.init = async function (app) {
                     // This team is in the desired list
                     if (desiredTeamMemberships[teamSlug] !== membership.role) {
                         // Role has changed - update membership
-                        // console.log(`changing role in team ${teamSlug} from ${membership.role} to ${desiredTeamMemberships[teamSlug]}`)
-
                         const updates = new app.auditLog.formatters.UpdatesCollection()
                         const oldRole = app.auditLog.formatters.roleObject(membership.role)
                         const role = app.auditLog.formatters.roleObject(desiredTeamMemberships[teamSlug])