[Regression] Property mappings don't allow removing list items since 2024.8 #15770
Description
Describe the bug
In 2024.8, property mappings were reworked to allow filling in multiple properties from a single mapping code. After that, the behavior of properties containing lists merged. Before the change, each value, no matter if it was a list or anything else, was replaced by the new value returned by the mapping code. Now, list values aren't replaced, but merged instead, resulting in an inability to remove any objects from the list.
This behavior probably also affects dictionaries and other data structures that can be merged.
To Reproduce
Steps to reproduce the behavior:
- Create an attribute mapping saving a list from input into an attribute
- Run the mapping, passing in a list with few elements
- Run the mapping again, passing different list, not containing all the elements from the first run.
- See the resulting list saved to the user attribute having elements from both runs.
Expected behavior
There should be a way to either remove specific items or clear the items. Ideally, it should just work as previously, replacing the whole list, but if that can't be provided, maybe a separate type that resembles a list should be available to be used in mapping code, that when used, will not be merged with existing value, instead replacing it completely.
Screenshots
None.
Logs
I don't think this is relevant, as there are no specific logs produced, it is the behavior of the functionality that changed
Version and Deployment (please complete the following information):
- authentik version: 2024.8.0 and above, up to and including 2025.6.4
- Deployment: docker swarm (via portainer)
Additional context
This may cause a serious security issue, if someone revokes permissions from a particular user in the system Authentik fetches data from, believing this permission should disappear from the Authentik as well, but that's not the case if the synchronization of permissions involves attribute mappings and it is passed on as a list (or possibly a dict).
Behavior for other data types was untested, but it probably is the same, as deepmerge.Merger is involved in the process.