github Buco7854/jellyfin-plugin-sso v4.0.0.6
on GitHub

8 hours ago

v4.0.0.6: Role-mapped permissions were never saved on Jellyfin 10.11

⚠️ Requires Jellyfin 10.11.

The bug

If you run Jellyfin 10.11.x, every permission this plugin set during SSO login (administrator status, library/folder access, and Live TV access) was only ever applied to Jellyfin's in-memory user cache and never written to the database. Everything looked correct after logging in, then permissions silently reverted whenever Jellyfin reloaded the user from the database:

  • after every server restart
  • after any dashboard policy save for that user (even mid-session)

Logging out and back in "fixed" it each time, because the plugin re-applied the permissions in memory again. This is the root cause behind reports like 9p4#367.

The cause is a Jellyfin 10.11 change: UpdateUserAsync now only persists the user's root row, silently discarding changes the plugin made to permission/preference rows.

The fix

The plugin now persists permissions through UpdatePolicyAsync, the same code path Jellyfin's own user dashboard uses, so role-mapped admin, folder, and Live TV permissions are genuinely saved.

Behavior change: strict admin sync is the default again

PreserveAdminPermissions now defaults to false. With the persistence bug gone, your IDP roles are the source of truth: a login that does not match any admin role revokes the administrator flag, durably. If you prefer elevate-only behavior (never revoke), enable the "Preserve Existing Admin Permissions" checkbox on the provider.

Double-check your adminRoles and roleClaim mapping before logging in with your admin account, since mismatches now demote for real.

Upgrade note: if you saved your provider settings on 4.0.0.5, the old true value is kept in your config until you uncheck it. Configs saved on 4.0.0.4 or older get the new strict default automatically.

Also fixed

  • Newly created SSO users now have their random password saved immediately. Previously a timing quirk was the only thing preventing a passwordless account in the database.
  • Unregister (switching a user back to another auth provider) now actually saves the change instead of losing it on restart.
  • Invalid folder IDs in the folder configuration are skipped with a warning instead of being written raw.
  • The permission sync explicitly preserves the lyric management permission, which Jellyfin omits from its user DTO and would otherwise reset on every login.

Full Changelog: v4.0.0.5...v4.0.0.6

Check out latest releases or
releases around Buco7854/jellyfin-plugin-sso v4.0.0.6

Don't miss a new jellyfin-plugin-sso release

NewReleases is sending notifications on new releases.

Get notifications