[
https://issues.apache.org/jira/browse/OAK-4845?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514871#comment-15514871
]
Alexander Klimetschek commented on OAK-4845:
--------------------------------------------
Attached a patch which fixes the issue by allowing local groups without a
{{rep:externalId}} (and includes above test). It still checks and prevents a
group added by another identity provider.
* [^OAK-4845.patch]
I could imagine there can be scenarios with 2 IDPs where folks might want to
add users from one IDP to be added to groups from another IDP. In that case,
reverting OAK-4397 would probably be the answer. Don't have a clear opinion on
that, though.
I also noticed that some of the unit tests, especially
{{testMembershipForExistingForeignGroup}}, of which I based the new test on, do
not make sure {{root.commit()}} is called after the sync, which at least makes
group membership changes not yet visible to {{user.declaredMemberOf()}} checked
at the end.
* fixed that in [^missing-commits-in-tests.patch]
> Regression: DefaultSyncContext does not sync membership to a local group
> ------------------------------------------------------------------------
>
> Key: OAK-4845
> URL: https://issues.apache.org/jira/browse/OAK-4845
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Affects Versions: 1.5.3, 1.4.7
> Reporter: Alexander Klimetschek
> Priority: Critical
> Attachments: OAK-4845.patch, missing-commits-in-tests.patch
>
>
> OAK-4397 introduced a regression: it does not allow syncing to a locally
> existing group anymore (that does not belong to another IDP).
> Updating to 1.4.7 now gives "Existing authorizable 'X' is not a group from
> this IDP 'foo'.", and the group is not synced and most importantly,
> memberships for external users are not updated anymore. Looking at the group
> in JCR, it does not have a {{rep:externalId}} at all, only a
> {{rep:lastSynced}}.
> Code wise, this is because the {{rep:externalId}} is only ever set in
> {{createGroup()}}, i.e. when the external sync creates that group initially.
> If the group is already present locally (but not owned by another IDP!), then
> it won't use it due to the new {{isSameIDP()}} check, which will also fail if
> there is no {{rep:externalId}} property set.
> The use case is that we are defining the group locally as part of our
> application already (including ACs etc.) and we want certain external users
> be added to it, based on some some of their settings on the external IDP
> side. FWIW, we don't care for the syncing of properties for the group itself,
> just for the memberships.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)