57 lines
1.4 KiB
Ruby
57 lines
1.4 KiB
Ruby
class User < ApplicationRecord
|
|
has_secure_password
|
|
has_many :sessions, dependent: :destroy
|
|
|
|
normalizes :email_address, with: ->(e) { e.strip.downcase }
|
|
|
|
enum :role, { admin: 0, user: 1, viewer: 2 }, default: :user
|
|
|
|
generates_token_for :password_reset, expires_in: 1.hour do
|
|
updated_at
|
|
end
|
|
|
|
validates :email_address, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
|
|
validates :role, presence: true
|
|
|
|
before_validation :set_first_user_as_admin, on: :create
|
|
|
|
def update_role_from_oidc_groups(groups)
|
|
new_role = self.class.map_oidc_groups_to_role(groups)
|
|
update(role: new_role) if role != new_role
|
|
end
|
|
|
|
def admin?
|
|
role == 'admin'
|
|
end
|
|
|
|
def viewer?
|
|
role == 'viewer'
|
|
end
|
|
|
|
private
|
|
|
|
def set_first_user_as_admin
|
|
return if User.any?
|
|
self.role = 'admin'
|
|
end
|
|
|
|
def self.map_oidc_groups_to_role(groups)
|
|
groups = Array(groups)
|
|
|
|
# Check admin groups first
|
|
admin_groups = ENV['OIDC_ADMIN_GROUPS']&.split(',')&.map(&:strip)
|
|
return 'admin' if admin_groups && (admin_groups & groups).any?
|
|
|
|
# Check user groups
|
|
user_groups = ENV['OIDC_USER_GROUPS']&.split(',')&.map(&:strip)
|
|
return 'user' if user_groups && (user_groups & groups).any?
|
|
|
|
# Check viewer groups
|
|
viewer_groups = ENV['OIDC_VIEWER_GROUPS']&.split(',')&.map(&:strip)
|
|
return 'viewer' if viewer_groups && (viewer_groups & groups).any?
|
|
|
|
# Default to user if no group matches
|
|
'user'
|
|
end
|
|
end
|