starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[PR #2769] [MERGED] OpenID: Integrate permissions (Fixes #2523) #3797

New Issue
Closed
opened 2026-04-25 00:17:06 +02:00 by adam · 0 comments
adam commented 2026-04-25 00:17:06 +02:00
Owner
Copy Link
Copy Source

📋 Pull Request Information

Original PR: https://github.com/advplyr/audiobookshelf/pull/2769
Author: @Sapd
Created: 3/19/2024
Status: Merged
Merged: 3/30/2024
Merged by: @advplyr

Base: masterHead: openid-permissions

📝 Commits (10+)

  • 56f1bfe Auth/OpenID: Implement Permissions via OpenID
  • f661e08 Auth: Simplify Code
  • 50330b0 Auth: Add translations
  • 1646f0e OpenID: Ignore admin for advanced permissions
  • 617b8f4 OpenID: Rename tags switch
  • 8cd50d5 OpenID: Don't downgrade root
  • 90e1283 OpenID: Allow email_verified null and also check username
  • 7e8fd91 Update OIDC advanced permissions check to only perform an update on changes
  • a5d7a81 Clean up formatting of advanced group/permission claims on authentication page
  • fc595bd Updates to authentication page for mobile screen sizes

📊 Changes

29 files changed (+426 additions, -63 deletions)

View changed files

📝 client/components/app/SettingsContent.vue (+1 -1)
📝 client/components/ui/TextInputWithLabel.vue (+2 -1)
📝 client/pages/config/authentication.vue (+42 -5)
📝 client/strings/cs.json (+3 -0)
📝 client/strings/da.json (+3 -0)
📝 client/strings/de.json (+3 -0)
📝 client/strings/en-us.json (+3 -0)
📝 client/strings/es.json (+3 -0)
📝 client/strings/et.json (+3 -0)
📝 client/strings/fr.json (+3 -0)
📝 client/strings/gu.json (+3 -0)
📝 client/strings/he.json (+3 -0)
📝 client/strings/hi.json (+3 -0)
📝 client/strings/hr.json (+3 -0)
📝 client/strings/hu.json (+3 -0)
📝 client/strings/it.json (+3 -0)
📝 client/strings/lt.json (+3 -0)
📝 client/strings/nl.json (+3 -0)
📝 client/strings/no.json (+3 -0)
📝 client/strings/pl.json (+3 -0)

...and 9 more files

📄 Description

Integrate full permission support.

The user can configure (all optional and independent):

  • A group claim: This will set the user type of the user to either admin, or user or guest. If it is set, the claim must exist also it must include in the list either admin, user or guest or login will be denied. If multiple groups match, the highest group gets priority (e.g. admin).
    If not configured, will like before simply assign "user"
  • An advanced permissions claim (for example named abspermissions). The content should look like this:
{
  "canDownload": false,
  "canUpload": false,
  "canDelete": false,
  "canUpdate": false,
  "canAccessExplicitContent": false,
  "canAccessAllLibraries": false,
  "canAccessAllTags": false,
  "tagsAreDenylist": false,
  "allowedLibraries": ["ExampleLibrary", "AnotherLibrary" ],
  "allowedTags": ["ExampleTag", "AnotherTag", "ThirdTag"
  ]
}

If the whole claim (if configured) is missing, login will be denied. If a parameter like canDownload is missing, it will be treated as false. If a unknown parameter is provided, login will be denied. If user is an admin, it will be ignored.

Screenshot 2024-03-19 at 19 27 06

Can be tested with Authentik like this:

  1. Create a OIDC Property Mapping (Customization -> Property Mappings)
  2. Name it however you want
  3. Name Scope Name for example "groups"

Here is an example expression, which adds the "admin" group if the user is in the "Dev" authentik group:

groups = [group.name for group in user.ak_groups.all()]
if "Dev" in groups:
  groups.append("admin")
return { "groups": groups }

For the advanced permissions, do the same and name the scope something like "abspermissions".

return {
  "abspermissions": {
  "canUpdate": True,
  "canDownload": True,
  "canUpload": False,
  "canDelete": True,
  "canAccessExplicitContent": False,
  "canAccessAllLibraries": True,
  "canAccessAllTags": True,
  "allowedLibraries": [
    "ExampleLibrary",
    "AnotherLibrary"
  ],
  "allowedTags": [
    "ExampleTag",
    "AnotherTag",
    "ThirdTag"
  ],
  "tagsAreDenylist": False
  }
}

Note that here (in python?) the booleans must be upper case.

Screenshot 2024-03-19 at 19 36 18

Also make sure that after saving you click on "Test" beside the mapping and select a test user. It should show for the first mapping the correct groups including for example user or admin. For the second the claim.

Screenshot 2024-03-19 at 19 38 22

Then go to Providers -> Select your ABS provider -> Edit -> Advanced Protocol Settings. And select additionally your new mappings.

I tested it extensively but make sure to also do some tests.

Also whats a bit weird in code I noticed, we use:

global.ServerSettings.

around line 83. But at other places

Database.serverSettings.

Not sure if this has a specific purpose but we should probably make it consistent, esp. as the first S has different case but means the same variable.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/advplyr/audiobookshelf/pull/2769 **Author:** [@Sapd](https://github.com/Sapd) **Created:** 3/19/2024 **Status:** ✅ Merged **Merged:** 3/30/2024 **Merged by:** [@advplyr](https://github.com/advplyr) **Base:** `master` ← **Head:** `openid-permissions` --- ### 📝 Commits (10+) - [`56f1bfe`](https://github.com/advplyr/audiobookshelf/commit/56f1bfef507228ddeb58795666d6264bfe5cd966) Auth/OpenID: Implement Permissions via OpenID - [`f661e08`](https://github.com/advplyr/audiobookshelf/commit/f661e0835ce3653640dabcc19559348c0c70dff2) Auth: Simplify Code - [`50330b0`](https://github.com/advplyr/audiobookshelf/commit/50330b0a606901f320cdb8eda802575db2aa3ae6) Auth: Add translations - [`1646f0e`](https://github.com/advplyr/audiobookshelf/commit/1646f0ebc21505a1ed00866cb7a033c5028ba5c4) OpenID: Ignore admin for advanced permissions - [`617b8f4`](https://github.com/advplyr/audiobookshelf/commit/617b8f4487d506da962658a8fd371584e8ba7734) OpenID: Rename tags switch - [`8cd50d5`](https://github.com/advplyr/audiobookshelf/commit/8cd50d56844bc525d026303896b7d77000568b74) OpenID: Don't downgrade root - [`90e1283`](https://github.com/advplyr/audiobookshelf/commit/90e1283058c6916b873fcab490dc881ad0a25155) OpenID: Allow email_verified null and also check username - [`7e8fd91`](https://github.com/advplyr/audiobookshelf/commit/7e8fd91fc5a3c7802573ae8903a1c25505f6c9c5) Update OIDC advanced permissions check to only perform an update on changes - [`a5d7a81`](https://github.com/advplyr/audiobookshelf/commit/a5d7a8151917a5073595d98e84f99d543c45f079) Clean up formatting of advanced group/permission claims on authentication page - [`fc595bd`](https://github.com/advplyr/audiobookshelf/commit/fc595bd799639cd7a6a8db6186acb95eb1c0b6da) Updates to authentication page for mobile screen sizes ### 📊 Changes **29 files changed** (+426 additions, -63 deletions) <details> <summary>View changed files</summary> 📝 `client/components/app/SettingsContent.vue` (+1 -1) 📝 `client/components/ui/TextInputWithLabel.vue` (+2 -1) 📝 `client/pages/config/authentication.vue` (+42 -5) 📝 `client/strings/cs.json` (+3 -0) 📝 `client/strings/da.json` (+3 -0) 📝 `client/strings/de.json` (+3 -0) 📝 `client/strings/en-us.json` (+3 -0) 📝 `client/strings/es.json` (+3 -0) 📝 `client/strings/et.json` (+3 -0) 📝 `client/strings/fr.json` (+3 -0) 📝 `client/strings/gu.json` (+3 -0) 📝 `client/strings/he.json` (+3 -0) 📝 `client/strings/hi.json` (+3 -0) 📝 `client/strings/hr.json` (+3 -0) 📝 `client/strings/hu.json` (+3 -0) 📝 `client/strings/it.json` (+3 -0) 📝 `client/strings/lt.json` (+3 -0) 📝 `client/strings/nl.json` (+3 -0) 📝 `client/strings/no.json` (+3 -0) 📝 `client/strings/pl.json` (+3 -0) _...and 9 more files_ </details> ### 📄 Description Integrate full permission support. The user can configure (all optional and independent): * A group claim: This will set the user type of the user to either admin, or user or guest. If it is set, the claim **must** exist also it **must** include in the list either admin, user or guest or login will be denied. If multiple groups match, the highest group gets priority (e.g. admin). If not configured, will like before simply assign "user" * An advanced permissions claim (for example named abspermissions). The content should look like this: ```js { "canDownload": false, "canUpload": false, "canDelete": false, "canUpdate": false, "canAccessExplicitContent": false, "canAccessAllLibraries": false, "canAccessAllTags": false, "tagsAreDenylist": false, "allowedLibraries": ["ExampleLibrary", "AnotherLibrary" ], "allowedTags": ["ExampleTag", "AnotherTag", "ThirdTag" ] } ``` If the whole claim (if configured) is missing, login will be denied. If a parameter like `canDownload` is missing, it will be treated as `false`. If a unknown parameter is provided, login will be denied. If user is an admin, it will be ignored. <img width="1278" alt="Screenshot 2024-03-19 at 19 27 06" src="https://github.com/advplyr/audiobookshelf/assets/671752/5c29c909-b525-49ec-b0b1-6333d73fb19a"> Can be tested with Authentik like this: 1. Create a OIDC Property Mapping (Customization -> Property Mappings) 2. Name it however you want 3. Name Scope Name for example "groups" Here is an example expression, which adds the "admin" group if the user is in the "Dev" authentik group: ```py groups = [group.name for group in user.ak_groups.all()] if "Dev" in groups: groups.append("admin") return { "groups": groups } ``` For the advanced permissions, do the same and name the scope something like "abspermissions". ```py return { "abspermissions": { "canUpdate": True, "canDownload": True, "canUpload": False, "canDelete": True, "canAccessExplicitContent": False, "canAccessAllLibraries": True, "canAccessAllTags": True, "allowedLibraries": [ "ExampleLibrary", "AnotherLibrary" ], "allowedTags": [ "ExampleTag", "AnotherTag", "ThirdTag" ], "tagsAreDenylist": False } } ``` Note that here (in python?) the booleans must be upper case. <img width="600" alt="Screenshot 2024-03-19 at 19 36 18" src="https://github.com/advplyr/audiobookshelf/assets/671752/8c970922-ffea-4272-b9bb-fcd9ad9dfced"> Also make sure that after saving you click on "Test" beside the mapping and select a test user. It should show for the first mapping the correct groups including for example user or admin. For the second the claim. <img width="600" alt="Screenshot 2024-03-19 at 19 38 22" src="https://github.com/advplyr/audiobookshelf/assets/671752/8993844d-0d71-48c0-9f81-ccdcdc37b45c"> Then go to Providers -> Select your ABS provider -> Edit -> Advanced Protocol Settings. And select additionally your new mappings. I tested it extensively but make sure to also do some tests. --- Also whats a bit weird in code I noticed, we use: ``` global.ServerSettings. ``` around line 83. But at other places ``` Database.serverSettings. ``` Not sure if this has a specific purpose but we should probably make it consistent, esp. as the first S has different case but means the same variable. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2026-04-25 00:17:06 +02:00
adam closed this issue 2026-04-25 00:17:06 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#3797
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?