[server] fix org-owned users without membership (#18463)

svenefftinge · web-flow · commit 73533e430267 · 2023-08-08T22:15:34.000+02:00
diff --git a/components/server/src/iam/iam-session-app.spec.ts b/components/server/src/iam/iam-session-app.spec.ts
@@ -21,7 +21,7 @@ import { OIDCCreateSessionPayload } from "./iam-oidc-create-session-payload";
 import { TeamMemberInfo, TeamMemberRole, User } from "@gitpod/gitpod-protocol";
 import { OrganizationService } from "../orgs/organization-service";
 import { UserService } from "../user/user-service";
-import { UserDB } from "@gitpod/gitpod-db/lib";
+import { TeamDB, UserDB } from "@gitpod/gitpod-db/lib";
 const expect = chai.expect;
 
 @suite(timeout(10000))
@@ -122,6 +122,7 @@ class TestIamSessionApp {
                         return run();
                     },
                 }); // unused
+                bind(TeamDB).toConstantValue(<any>{}); // unused
             }),
         );
         this.app = container.get(IamSessionApp);
diff --git a/components/server/src/iam/iam-session-app.ts b/components/server/src/iam/iam-session-app.ts
@@ -16,7 +16,7 @@ import { reportJWTCookieIssued } from "../prometheus-metrics";
 import { ApplicationError } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { OrganizationService } from "../orgs/organization-service";
 import { UserService } from "../user/user-service";
-import { UserDB } from "@gitpod/gitpod-db/lib";
+import { BUILTIN_INSTLLATION_ADMIN_USER_ID, TeamDB, UserDB } from "@gitpod/gitpod-db/lib";
 import { SYSTEM_USER } from "../authorization/authorizer";
 
 @injectable()
@@ -29,6 +29,7 @@ export class IamSessionApp {
         @inject(OrganizationService) private readonly orgService: OrganizationService,
         @inject(SessionHandler) private readonly session: SessionHandler,
         @inject(UserDB) private readonly userDb: UserDB,
+        @inject(TeamDB) private readonly teamDb: TeamDB,
     ) {}
 
     public getMiddlewares() {
@@ -66,6 +67,26 @@ export class IamSessionApp {
         const existingUser = await this.findExistingOIDCUser(payload);
         if (existingUser) {
             await this.updateOIDCUserOnSignin(existingUser, payload);
+
+            try {
+                //TODO we need to fix users without a team membership that happened because of a bug in the past
+                // this is a workaround to fix the issue for now, but should be removed after a while
+                if (existingUser.organizationId) {
+                    const result = await this.teamDb.addMemberToTeam(existingUser.id, existingUser.organizationId);
+                    if (result === "added") {
+                        const teamMemberships = await this.teamDb.findMembersByTeam(existingUser.organizationId);
+                        const otherOwners = teamMemberships.filter(
+                            (tm) => tm.userId !== BUILTIN_INSTLLATION_ADMIN_USER_ID && tm.role !== "member",
+                        );
+                        // if there is no owner on the team besides the admin user, we make this user an owner
+                        if (otherOwners.length === 0) {
+                            await this.teamDb.setTeamMemberRole(existingUser.id, existingUser.organizationId, "owner");
+                        }
+                    }
+                }
+            } catch (error) {
+                log.error("Error fixing user team membership", error);
+            }
         }
 
         const user = existingUser || (await this.createNewOIDCUser(payload));
