From ca5c00b37d3f2c81d578229606f8e29427f1b5d8 Mon Sep 17 00:00:00 2001 From: Ricardo Garim Date: Mon, 8 Dec 2025 13:02:13 -0300 Subject: [PATCH 1/2] fix: convert SAML role names to IDs before user creation/update --- .../meteor-accounts-saml/server/lib/SAML.ts | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts b/apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts index 2412feb41afe6..eb37c9c6fde51 100644 --- a/apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts +++ b/apps/meteor/app/meteor-accounts-saml/server/lib/SAML.ts @@ -1,7 +1,7 @@ import type { ServerResponse } from 'http'; -import type { IUser, IIncomingMessage, IPersonalAccessToken } from '@rocket.chat/core-typings'; -import { CredentialTokens, Rooms, Users } from '@rocket.chat/models'; +import type { IUser, IIncomingMessage, IPersonalAccessToken, IRole } from '@rocket.chat/core-typings'; +import { CredentialTokens, Rooms, Users, Roles } from '@rocket.chat/models'; import { Random } from '@rocket.chat/random'; import { escapeRegExp, escapeHTML } from '@rocket.chat/string-helpers'; import { Accounts } from 'meteor/accounts-base'; @@ -29,6 +29,20 @@ const showErrorMessage = function (res: ServerResponse, err: string): void { res.end(content, 'utf-8'); }; +const convertRoleNamesToIds = async (roleNamesOrIds: string[]): Promise => { + const roles = (await Roles.findInIdsOrNames(roleNamesOrIds).toArray()).map((role) => role._id); + + if (roles.length !== roleNamesOrIds.length) { + SystemLogger.warn(`Failed to convert some role names to ids: ${roleNamesOrIds.join(', ')}`); + } + + if (!roles.length) { + throw new Error(`We should have at least one existing role to create the user: ${roleNamesOrIds.join(', ')}`); + } + + return roles; +}; + export class SAML { public static async processRequest( req: IIncomingMessage, @@ -129,7 +143,8 @@ export class SAML { if (!user) { // If we received any role from the mapping, use them - otherwise use the default role for creation. - const roles = userObject.roles?.length ? userObject.roles : ensureArray(defaultUserRole.split(',')); + const roleNamesOrIds = userObject.roles?.length ? userObject.roles : ensureArray(defaultUserRole.split(',')); + const roles = await convertRoleNamesToIds(roleNamesOrIds); const newUser: Record = { name: fullName, @@ -200,7 +215,8 @@ export class SAML { // When updating an user, we only update the roles if we received them from the mapping if (userObject.roles?.length) { - updateData.roles = userObject.roles; + const roles = await convertRoleNamesToIds(userObject.roles); + updateData.roles = roles; } if (userObject.channels && channelsAttributeUpdate === true) { From 9222e4f3a5b770a9d21969b0b0160a5028535b9a Mon Sep 17 00:00:00 2001 From: Ricardo Garim Date: Mon, 8 Dec 2025 08:31:34 -0300 Subject: [PATCH 2/2] add changeset --- .changeset/metal-moose-travel.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .changeset/metal-moose-travel.md diff --git a/.changeset/metal-moose-travel.md b/.changeset/metal-moose-travel.md new file mode 100644 index 0000000000000..71c2f66f5e02c --- /dev/null +++ b/.changeset/metal-moose-travel.md @@ -0,0 +1,5 @@ +--- +'@rocket.chat/meteor': patch +--- + +Fixes a condition where the `SAML_Custom_Default_default_user_role` setting, used to define the default SAML role when none is provided, would fail when a role name was used instead of an ID.