From 6ab83afb54e4b43d3b3ebe69f029175627d92914 Mon Sep 17 00:00:00 2001 From: tobmes Date: Fri, 19 Jun 2026 13:06:14 +0000 Subject: [PATCH 1/6] Made OIDC group name lookup case-insensitive --- source/app/blueprints/pages/login/login_routes.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/app/blueprints/pages/login/login_routes.py b/source/app/blueprints/pages/login/login_routes.py index bd8da3a33..1c00fbd40 100644 --- a/source/app/blueprints/pages/login/login_routes.py +++ b/source/app/blueprints/pages/login/login_routes.py @@ -349,11 +349,11 @@ def oidc_authorise(): if not userroles_mapping_field: groups_list = get_groups_list() group_name_to_id = { - group.group_name: group.group_id for group in groups_list + group.group_name.lower(): group.group_id for group in groups_list } else: - group_name_to_id = json.loads(userroles_mapping_field) - new_user_group = [group_name_to_id[group_name] for group_name in user_group if group_name in group_name_to_id] + group_name_to_id = {k.lower(): v for k, v in json.loads(userroles_mapping_field).items()} + new_user_group = [group_name_to_id[group_name.lower()] for group_name in user_group if group_name.lower() in group_name_to_id] if not new_user_group: return response_error("User role not in IRIS", 403) update_user_groups(user.id, new_user_group) From a43b29895b9df60cd5b946a91fa9c4c73dbbc350 Mon Sep 17 00:00:00 2001 From: tobmes Date: Fri, 19 Jun 2026 13:32:08 +0000 Subject: [PATCH 2/6] Changed OIDC roles mapping: values are now group names (not IDs) --- .../blueprints/pages/login/login_routes.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/source/app/blueprints/pages/login/login_routes.py b/source/app/blueprints/pages/login/login_routes.py index 1c00fbd40..da1249faa 100644 --- a/source/app/blueprints/pages/login/login_routes.py +++ b/source/app/blueprints/pages/login/login_routes.py @@ -346,14 +346,21 @@ def oidc_authorise(): if usergroup_field is not None and not user_group: return response_error("Required user group information missing in OIDC response", 403) if user_group: + groups_list = get_groups_list() + group_name_to_id = { + group.group_name: group.group_id for group in groups_list + } + if not userroles_mapping_field: - groups_list = get_groups_list() - group_name_to_id = { - group.group_name.lower(): group.group_id for group in groups_list - } + new_user_group = [group_name_to_id[group_name] for group_name in user_group if group_name in group_name_to_id] else: - group_name_to_id = {k.lower(): v for k, v in json.loads(userroles_mapping_field).items()} - new_user_group = [group_name_to_id[group_name.lower()] for group_name in user_group if group_name.lower() in group_name_to_id] + roles_to_group = json.loads(userroles_mapping_field) + new_user_group = [] + for role_name in user_group: + if role_name in roles_to_group: + group_name = roles_to_group[role_name] + if group_name in group_name_to_id: + new_user_group.append(group_name_to_id[group_name]) if not new_user_group: return response_error("User role not in IRIS", 403) update_user_groups(user.id, new_user_group) From 5a8633466809e00078ba16bd28a095dc2d719214 Mon Sep 17 00:00:00 2001 From: tobmes Date: Fri, 19 Jun 2026 14:06:16 +0000 Subject: [PATCH 3/6] Fixed None check for iris_current_user in track_activity --- source/app/iris_engine/utils/tracker.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/app/iris_engine/utils/tracker.py b/source/app/iris_engine/utils/tracker.py index d17cdbda8..9420994c1 100644 --- a/source/app/iris_engine/utils/tracker.py +++ b/source/app/iris_engine/utils/tracker.py @@ -48,7 +48,7 @@ def track_activity(message, caseid=None, ctx_less=False, user_input=False, displ ua.activity_date = datetime.utcnow() ua.activity_desc = message.capitalize() - if iris_current_user.is_authenticated: + if iris_current_user and iris_current_user.is_authenticated: logger.info(f"{iris_current_user.user} [#{iris_current_user.id}] :: Case {caseid} :: {ua.activity_desc}") else: logger.info(f"Anonymous :: Case {caseid} :: {ua.activity_desc}") From 68b3491074199fae03070eeeba5790829b30bdb2 Mon Sep 17 00:00:00 2001 From: tobmes Date: Tue, 23 Jun 2026 08:06:13 +0000 Subject: [PATCH 4/6] Bump IRIS_VERSION to v2.5.0-beta.1-dev-pr9 --- source/app/configuration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/app/configuration.py b/source/app/configuration.py index ab2c18a20..ad5b97c77 100644 --- a/source/app/configuration.py +++ b/source/app/configuration.py @@ -369,7 +369,7 @@ def _parse_float(value): class Config: # Handled by bumpversion - IRIS_VERSION = "v2.5.0-beta.1-dev-pr8" # DO NOT EDIT THIS LINE MANUALLY + IRIS_VERSION = "v2.5.0-beta.1-dev-pr9" # DO NOT EDIT THIS LINE MANUALLY if os.environ.get('IRIS_DEMO_VERSION') is not None and os.environ.get('IRIS_DEMO_VERSION') != 'None': IRIS_VERSION = os.environ.get('IRIS_DEMO_VERSION') From f68a1010e6ca790b7a70a0a22b0a738058ed99a7 Mon Sep 17 00:00:00 2001 From: tobmes Date: Tue, 23 Jun 2026 08:06:13 +0000 Subject: [PATCH 5/6] Refactor OIDC group mapping logic to handle group IDs and names more robustly --- .../blueprints/pages/login/login_routes.py | 22 ++++++++++++++----- source/app/configuration.py | 2 +- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/source/app/blueprints/pages/login/login_routes.py b/source/app/blueprints/pages/login/login_routes.py index da1249faa..b27f80f4f 100644 --- a/source/app/blueprints/pages/login/login_routes.py +++ b/source/app/blueprints/pages/login/login_routes.py @@ -351,16 +351,28 @@ def oidc_authorise(): group.group_name: group.group_id for group in groups_list } + group_id_set = {g.group_id for g in groups_list} + if not userroles_mapping_field: - new_user_group = [group_name_to_id[group_name] for group_name in user_group if group_name in group_name_to_id] + new_user_group = [ + group_name_to_id[group_name] + for group_name in user_group + if group_name in group_name_to_id + ] else: roles_to_group = json.loads(userroles_mapping_field) new_user_group = [] for role_name in user_group: - if role_name in roles_to_group: - group_name = roles_to_group[role_name] - if group_name in group_name_to_id: - new_user_group.append(group_name_to_id[group_name]) + if role_name not in roles_to_group: + continue + mapped_group = roles_to_group[role_name] + try: + group_id = int(mapped_group) + if group_id in group_id_set: + new_user_group.append(group_id) + except (ValueError, TypeError): + if mapped_group in group_name_to_id: + new_user_group.append(group_name_to_id[mapped_group]) if not new_user_group: return response_error("User role not in IRIS", 403) update_user_groups(user.id, new_user_group) diff --git a/source/app/configuration.py b/source/app/configuration.py index ab2c18a20..ad5b97c77 100644 --- a/source/app/configuration.py +++ b/source/app/configuration.py @@ -369,7 +369,7 @@ def _parse_float(value): class Config: # Handled by bumpversion - IRIS_VERSION = "v2.5.0-beta.1-dev-pr8" # DO NOT EDIT THIS LINE MANUALLY + IRIS_VERSION = "v2.5.0-beta.1-dev-pr9" # DO NOT EDIT THIS LINE MANUALLY if os.environ.get('IRIS_DEMO_VERSION') is not None and os.environ.get('IRIS_DEMO_VERSION') != 'None': IRIS_VERSION = os.environ.get('IRIS_DEMO_VERSION') From c01ab36519c77419fbebea6f2f5fc188d30e28cc Mon Sep 17 00:00:00 2001 From: tobmes Date: Tue, 23 Jun 2026 12:47:58 +0000 Subject: [PATCH 6/6] Close database session and dispose engine before running DB migration --- source/app/post_init.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source/app/post_init.py b/source/app/post_init.py index 3da251c55..842758815 100644 --- a/source/app/post_init.py +++ b/source/app/post_init.py @@ -1390,6 +1390,9 @@ def run(self): self._logger.info('Running DB migration') + db.session.close() + db.engine.dispose() + alembic_cfg = Config(file_='app/alembic.ini') alembic_cfg.set_main_option('sqlalchemy.url', self._configuration['SQLALCHEMY_DATABASE_URI']) command.upgrade(alembic_cfg, 'head')