From 42b44cef0703523c23b3d7f9df670156c3e7752a Mon Sep 17 00:00:00 2001
From: jasquat <2487833+jasquat@users.noreply.github.com>
Date: Fri, 8 Sep 2023 16:32:37 -0400
Subject: [PATCH] feature/user-guest-sign-in-fixes (#479)

* do not change guest user permissions when running refresh_permissions w/ burnettk

* linting

---------

Co-authored-by: jasquat <jasquat@users.noreply.github.com>
---
 .../services/authorization_service.py                      | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
index e2068921..8ba463ed 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -14,6 +14,7 @@ from flask import request
 from flask import scaffold
 from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX
 from spiffworkflow_backend.models.db import db
+from spiffworkflow_backend.models.group import SPIFF_GUEST_GROUP
 from spiffworkflow_backend.models.group import GroupModel
 from spiffworkflow_backend.models.human_task import HumanTaskModel
 from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
@@ -21,6 +22,7 @@ from spiffworkflow_backend.models.permission_target import PermissionTargetModel
 from spiffworkflow_backend.models.principal import MissingPrincipalError
 from spiffworkflow_backend.models.principal import PrincipalModel
 from spiffworkflow_backend.models.task import TaskModel  # noqa: F401
+from spiffworkflow_backend.models.user import SPIFF_GUEST_USER
 from spiffworkflow_backend.models.user import UserModel
 from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
 from spiffworkflow_backend.routes.openid_blueprint import openid_blueprint
@@ -836,7 +838,7 @@ class AuthorizationService:
             if user_model:
                 cls.associate_user_with_group(user_model, default_group)
             else:
-                for user in UserModel.query.all():
+                for user in UserModel.query.filter(UserModel.username.not_in([SPIFF_GUEST_USER])).all():  # type: ignore
                     cls.associate_user_with_group(user, default_group)
 
         return {
@@ -867,7 +869,7 @@ class AuthorizationService:
                 if (
                     current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"] is None
                     or current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"] != iutga.group.identifier
-                ):
+                ) and (iutga.group.identifier != SPIFF_GUEST_GROUP and iutga.user.username != SPIFF_GUEST_USER):
                     current_user_dict: UserToGroupDict = {
                         "username": iutga.user.username,
                         "group_identifier": iutga.group.identifier,
@@ -877,6 +879,7 @@ class AuthorizationService:
 
         # do not remove the default user group
         added_group_identifiers.add(current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"])
+        added_group_identifiers.add(SPIFF_GUEST_GROUP)
         groups_to_delete = GroupModel.query.filter(GroupModel.identifier.not_in(added_group_identifiers)).all()
         for gtd in groups_to_delete:
             db.session.delete(gtd)