Normalize auth taxonomy and Bloom role persistence#223
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2352f159ca
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if resolution.groups: | ||
| return resolution.roles, resolution.groups, candidate | ||
| return resolution.roles, resolution.groups, candidate, fallback |
There was a problem hiding this comment.
Returning immediately on a non-empty resolution.groups can short-circuit role resolution on cognito_sub before checking the email candidate for a persisted service role. After this change, roles are no longer derived from groups, so a user whose memberships are keyed by sub but whose stored role is keyed by email/login will be assigned the fallback READ_WRITE role instead of their persisted role (e.g., ADMIN) during login.
Useful? React with 👍 / 👎.
| group_service.remove_user_from_group( | ||
| group_code=group_code, | ||
| user_id=str(user.uid), | ||
| removed_by=str(user.uid), |
There was a problem hiding this comment.
The migration infers legacy role groups by checking memberships under multiple identifiers (uid, username, email), but removal is always executed with user_id=str(user.uid). When the active membership is stored under username/email, remove_user_from_group does not match and nothing is actually removed, even though the script records it as removed in the summary.
Useful? React with 👍 / 👎.
1 participant
Summary
Testing