From 59e39f5f9db08faa99648f5c9c620e76cc75930e Mon Sep 17 00:00:00 2001
From: Sam Gamble <hexadessa@gmail.com>
Date: Thu, 19 Sep 2024 12:55:14 +0100
Subject: [PATCH] Allow admin users to work without group claim

---
 src/server/oasisapi/oidc/keycloak_auth.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/server/oasisapi/oidc/keycloak_auth.py b/src/server/oasisapi/oidc/keycloak_auth.py
index 5c98b96a0..1e4fbd8b4 100644
--- a/src/server/oasisapi/oidc/keycloak_auth.py
+++ b/src/server/oasisapi/oidc/keycloak_auth.py
@@ -158,9 +158,13 @@ def update_groups(self, user, claims):
         Persist Keycloak groups as local Django groups.
         """
         keycloak_groups = claims.get('groups', None)
+
         if keycloak_groups is None:
-            msg = 'No group found in claim / user_info'
-            raise SuspiciousOperation(msg)
+            if (user.is_superuser or user.is_staff):
+                keycloak_groups = []
+            else:
+                msg = 'No group found in claim / user_info'
+                raise SuspiciousOperation(msg)
 
         for i, keycloak_group in enumerate(keycloak_groups):
             if keycloak_group.startswith('/'):