Temporary work-around for anyone experiencing the same issue:
UPDATE tc_users SET administrator = 1, userlimit = -1 WHERE email = 'user@domain.com'
The bug must be relatively recent because I was able to add a device on March 5th when I was running Traccar 6.12.0. Cloudron instance was updated to 9.1.3 on March 7th.
Today I went in to add some more devices and experienced the aforementioned issue.
Environment
Description
When a user logs in via Cloudron SSO, their administrative permissions within Traccar are automatically reverted to a standard "User" status. Even after manually elevating the user in the database (setting administrator = 1 and userlimit = -1 in the tc_users table), the changes are overwritten the moment the user authenticates via SSO or the app is restarted.
This creates a persistent "Write Access Denied" state for the primary administrator, preventing the management of devices, geofences, or server settings.
Steps to Reproduce
Install Traccar on Cloudron with User Management (SSO) enabled.
Login via SSO (Initial status is a standard user).
Manually elevate the user to admin in the Traccar UI.
Confirm Admin access is active in the Traccar UI (Settings and Server menus are visible).
Log out and log back in via Cloudron SSO, or restart the app.
The user's administrator status in tc_users is reverted to 0x00, and administrative access is lost.
SQL: SELECT email, administrator FROM tc_users WHERE email = '[redacted]';
Expected Behavior
The Cloudron SSO sync should respect existing administrator flags within the Traccar database.
I was attempting to send user invitations via the Stirling-PDF app but noticed the SMTP settings are currently unconfigured. Looking at the package, it appears that Managed SMTP isn't currently enabled for this app.
Could we update the Cloudron app to include the Cloudron SMTP app relay? This would allow the app to automatically use Cloudron’s built-in mail server settings via environment variables, rather than requiring users to manually configure external SMTP credentials within the app UI.
Thank you @James for your support with this. I was looking at creating a bug report for Penpot but noticed that @brutalbirdie has already done it. Thanks all !
Yes it is reproducible on Chrome, but Firefox works fine. I think we have a similar issue with Cubby: https://forum.cloudron.io/topic/15150/dropping-folders-flattens-the-folder-content-on-upload
Wonder if they (Filemanager and Cubby) are using a similar mechanism in the background
Hi @James , noted, will send you a DM with the link to the HAR file shortly. Thanks in advance for your assistance!
Additionally, when I open the penpot homepage, there is an orange dialog box that briefly opens in the window and then immediately disappears before I can see what it is about. I will try to troubleshoot it this weekend.
There is a 400 Error on OIDC POST:
Mar 11 11:37:00 172.18.0.1 - - [11/Mar/2026:08:37:00 +0000] "GET /api/rpc/command/get-profile HTTP/1.1" 200 95 "-" "Mozilla (CloudronHealth)"
Mar 11 11:37:10 172.18.0.1 - - [11/Mar/2026:08:37:10 +0000] "GET /api/rpc/command/get-profile HTTP/1.1" 200 95 "-" "Mozilla (CloudronHealth)"
Mar 11 11:37:20 172.18.0.1 - - [11/Mar/2026:08:37:20 +0000] "GET /api/rpc/command/get-profile HTTP/1.1" 200 95 "-" "Mozilla (CloudronHealth)"
Mar 11 11:37:25 172.18.0.1 - - [11/Mar/2026:08:37:25 +0000] "GET / HTTP/1.1" 200 163106 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:25 172.18.0.1 - - [11/Mar/2026:08:37:25 +0000] "GET /js/config.js?version=develop HTTP/1.1" 200 129 "https://[REDACTED_PENPOT_DOMAIN]/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:26 172.18.0.1 - - [11/Mar/2026:08:37:26 +0000] "HEAD / HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:26 172.18.0.1 - - [11/Mar/2026:08:37:26 +0000] "GET /api/main/methods/get-profile HTTP/1.1" 200 79 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:26 172.18.0.1 - - [11/Mar/2026:08:37:26 +0000] "GET /rasterizer.html HTTP/1.1" 200 536 "https://[REDACTED_PENPOT_DOMAIN]/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:26 172.18.0.1 - - [11/Mar/2026:08:37:26 +0000] "GET /js/config.js?version=develop HTTP/1.1" 200 129 "https://[REDACTED_PENPOT_DOMAIN]/rasterizer.html" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:26 172.18.0.1 - - [11/Mar/2026:08:37:26 +0000] "GET /api/main/methods/get-profile HTTP/1.1" 200 79 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:26 172.18.0.1 - - [11/Mar/2026:08:37:26 +0000] "GET /api/main/methods/get-teams HTTP/1.1" 401 135 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:27 172.18.0.1 - - [11/Mar/2026:08:37:27 +0000] "POST /api/main/methods/logout HTTP/1.1" 400 218 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:27 172.18.0.1 - - [11/Mar/2026:08:37:27 +0000] "GET /fonts/WorkSans-VariableFont.ttf HTTP/1.1" 200 362304 "https://[REDACTED_PENPOT_DOMAIN]/css/main.css?version=develop" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"
Mar 11 11:37:30 172.18.0.1 - - [11/Mar/2026:08:37:30 +0000] "GET /api/rpc/command/get-profile HTTP/1.1" 200 95 "-" "Mozilla (CloudronHealth)"
Mar 11 11:37:32 172.18.0.1 - - [11/Mar/2026:08:37:32 +0000] "POST /api/auth/oidc?provider=oidc HTTP/1.1" 400 138 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/145.0.0.0 Safari/537.36"**
Mar 11 11:37:40 172.18.0.1 - - [11/Mar/2026:08:37:40 +0000] "GET /api/rpc/command/get-profile HTTP/1.1" 200 95 "-" "Mozilla (CloudronHealth)"
Mar 11 11:37:50 172.18.0.1 - - [11/Mar/2026:08:37:50 +0000] "GET /api/rpc/command/get-profile HTTP/1.1" 200 95 "-" "Mozilla (CloudronHealth)"
Mar 11 11:38:00 172.18.0.1 - - [11/Mar/2026:08:37:30 +0000] "GET /api/rpc/command/get-profile HTTP/1.1" 200 95 "-" "Mozilla (CloudronHealth)"
Hi @nebulon , I just tested this on 9.1.3 and am still experiencing the issue.
Browser: Safari, Brave Browser
OS: Mac OS Tahoe 26
I upgraded from 9.0.17 to 9.1.3 yesterday and everything went smooth as butter! Thanks to the Cloudron team for the awesome work!
@James many thanks for the tips. I have followed the instructions and was able to confirm that the app's CLIENT_ID and CLIENT_SECRET exist in the Cloudron internal MySQL database.
I will try to find some time this week to do some more troubleshooting and report back if I am able to resolve the problem.
I ran curl -v https://<your-cloudron-dashboard-url>/.well-known/openid-configuration from the Penpot terminal and it connected just fine. So maybe it is not network related. More investigations to follow.
@James thanks for the feedback. Will do some more troubleshooting on my end. Could be network/firewall related.
Fresh install of Penpot 2.13.3 on Cloudron 9.1.3 configured to use Cloudron's SSO, and experiencing the same issue.
Disabling the Cloudflare proxy doesn't do anything for me.
Are there any plans to add SSO session timeout / inactivity timeout to Cloudron? I am finding that when I configure timeout (e.g. when browser is closed) within apps that are using Cloudron's SSO, the SSO is still keeping the user logged in.
Many businesses require sessions to expire after inactivity or browser closure for security audits.
If a user forgets to log out on a shared machine, a "timeout on close" or "idle timeout" is the only line of defense.
Most professional SSO providers (like Okta or Auth0) allow admins to set a "Max Session Age" or "Inactivity Timeout" at the platform level.
Noted, will wait for the 9.1 release then and revert if there are still issues.
Was this ever implemented? I am experiencing the same issue (flattening of folders) while trying to upload folders into the public folder of a LAMP app on Cloudron v9.0.17.
@nebulon see below. I think the issue is related to the bug in post #3 because it seems to be limited to making changes to the label/tags field when users and/or groups were previously selected but show unselected in the UI. If I edit the fields for an external link that is visible to all users, that seems to be working fine.
body
:
message
:
"All groups have to be strings"
status
:
"Bad Request"