User added by OIDC can't access meal plan

[GreatGhaleon]

Tandoor Version

1.5.20

Setup

Others (please state below)

Reverse Proxy

Nginx Proxy Manager (NPM)

Other

LXC in Proxmox via helper script

Bug description

Thanks for everything you do! Love the software

Description:

When a user which did not previously exist in tandoor signs in via oauth, they are able to view recipes as expected. Clicking on Meal Plan however gives a 'No Permission' error. This is true even if an alternate group is assigned.

Steps to reproduce:

1. In OIDC provider of choice, create a new user
2. Use this new user to access Tandoor
3. Observe that the new user is able to access Tandoor's recipes
4. Attempt to view meal plan
5. Observe 'No permission' display.
6. Add new user to 'user' group
7. Log out/log in and attempt to view meal plan
8. Observe 'No permission' display.
9. Add meal plan permissions explicitly to user
10. Log out/log in and attempt to view meal plan
11. Observe 'No permission' display.
12. Add user to admin and grant staff and superuser
13. Log out/log in and attempt to view meal plan
14. Observe 'No permission' display

Expected result:

When the user has appropriate permissions in Tandoor, I would expect them to be able to view the meal plan

Actual result:

A permissions denied error is displayed regardless of permissions

Configuration details:

Tandoor 1.5.20 hosted in a Proxmox LXC container via Community-Helper scripts ( formerly TTeck :( ). Application is hosted behind Cloudflare proxy, NGINX Proxy Manager and Authentik. I don't believe most of that will be relevant however.

OAuth configuration:

SOCIAL_PROVIDERS=allauth.socialaccount.providers.openid_connect
SOCIALACCOUNT_PROVIDERS={ "openid_connect": { "SERVERS": [{ "id": "authentik", "name": "Authentik", "server_url": "REDACTED", "token_auth_method": "client_secret_basic", "APP": { "client_id": "REDACTED", "secret": "REDACTED" } } ] } }
REMOTE_USER_AUTH=0
SOCIAL_DEFAULT_ACCESS=1

Relevant logs

Gunicorn log:

[2024-11-11 21:04:25 +0100] [891] [DEBUG] GET /plan/
[2024-11-11 21:04:25 +0100] [891] [DEBUG] GET /no-perm

Tandoor systemd log:

Nov 11 01:14:24 lindblum systemd[1]: Started gunicorn_tandoor.service - gunicorn daemon for tandoor.

NGINX Log:

REDACTED IP - - [11/Nov/2024:16:04:23 -0400] "GET /api/recipe/?query=&internal=false&random=false&new=true&page=1&page_size=25&include_children=true&num_recent=5 HTTP/1.1" 200 17105 "REDACTED URL" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
REDACTED IP - - [11/Nov/2024:16:04:23 -0400] "GET /api/user-preference/3/ HTTP/1.1" 200 656 "REDACTED URL" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
REDACTED IP - - [11/Nov/2024:16:04:25 -0400] "GET /plan/ HTTP/1.1" 302 0 "REDACTED URL" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
REDACTED IP - - [11/Nov/2024:16:04:25 -0400] "GET /no-perm?next=/plan/ HTTP/1.1" 200 3816 "REDACTED URL" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
REDACTED IP - - [11/Nov/2024:16:04:56 -0400] "GET /no-perm?next=/plan/ HTTP/1.1" 200 3816 "REDACTED URL" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"
REDACTED IP - - [11/Nov/2024:16:05:23 -0400] "GET /no-perm?next=/plan/ HTTP/1.1" 200 3816 "REDACTED URL" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36"

[GreatGhaleon]

Just a further update to this:

I modified a template to print the groups the user is in by adding {{request.user.groups.all }} to the template. I've verified that the user is in the 'user' group.