Cloudron SSO Overwrites Traccar Admin Permissions
-
Environment
- Cloudron Version: 9.1.3
- App: Traccar 6.12.2
- User Management: Enabled (Cloudron SSO)
Description
When a user logs in via Cloudron SSO, their administrative permissions within Traccar are automatically reverted to a standard "User" status. Even after manually elevating the user in the database (setting administrator = 1 and userlimit = -1 in the tc_users table), the changes are overwritten the moment the user authenticates via SSO or the app is restarted.
This creates a persistent "Write Access Denied" state for the primary administrator, preventing the management of devices, geofences, or server settings.
Steps to Reproduce
-
Install Traccar on Cloudron with User Management (SSO) enabled.
-
Login via SSO (Initial status is a standard user).
-
Manually elevate the user to admin in the Traccar UI.
-
Confirm Admin access is active in the Traccar UI (Settings and Server menus are visible).
-
Log out and log back in via Cloudron SSO, or restart the app.
-
The user's administrator status in tc_users is reverted to 0x00, and administrative access is lost.
SQL: SELECT email, administrator FROM tc_users WHERE email = '[redacted]';Expected Behavior
The Cloudron SSO sync should respect existing administrator flags within the Traccar database. -
The bug must be relatively recent because I was able to add a device on March 5th when I was running Traccar 6.12.0. Cloudron instance was updated to 9.1.3 on March 7th.
Today I went in to add some more devices and experienced the aforementioned issue.
-
So it turns out the traccar code always resets the role for a user on login. Because Cloudron does not expose the user role from Cloudron itself (like if a user is admin or not on the Cloudron), traccar assumes all users are normal users. Generally we do not expose user roles via OpenID, since the roles on Cloudron are usually not mapping well to an app. It looks like their implementation is more designed for ActiveDirectory/LDAP style usage, where such info is usually stored with the directory and can be configured per client/app.
We will see if some upstream fix can be made and would be accepted.
-
Temporary work-around for anyone experiencing the same issue:
- Access the SQL DB via the Cloudron App Terminal
- Manually elevate the user via SQL:
UPDATE tc_users SET administrator = 1, userlimit = -1 WHERE email = 'user@domain.com'- Do whatever admin tasks you need to do, noting that admin permissions will be removed at next login or app restart.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login