Lack of restriction to manage group names for freshly demoted guests

@@ -223,8 +223,13 @@ func (ps *PlatformService) ExtendSessionExpiry(session *model.Session, newExpiry
 	return nil
 }
 
-func (ps *PlatformService) UpdateSessionsIsGuest(userID string, isGuest bool) error {
-	sessions, err := ps.GetSessions(userID)
+func (ps *PlatformService) UpdateSessionsIsGuest(user *model.User, isGuest bool) error {
+	sessions, err := ps.GetSessions(user.Id)
+	if err != nil {
+		return err
+	}
+
+	_, err = ps.Store.Session().UpdateRoles(user.Id, user.GetRawRoles())
 	if err != nil {
 		return err
 	}

@@ -4,6 +4,7 @@
 package platform
 
 import (
+	"context"
 	"testing"
 	"time"
 
@@ -132,3 +133,59 @@ func TestOAuthRevokeAccessToken(t *testing.T) {
 	err = th.Service.RevokeAccessToken(accessData.Token)
 	require.NoError(t, err)
 }
+
+func TestUpdateSessionsIsGuest(t *testing.T) {
+	th := Setup(t)
+	defer th.TearDown()
+
+	t.Run("Test session is demoted", func(t *testing.T) {
+		user := th.CreateUserOrGuest(false)
+
+		session := &model.Session{}
+		session.CreateAt = model.GetMillis()
+		session.UserId = user.Id
+		session.Token = model.NewId()
+		session.Roles = "fake_role"
+		th.Service.SetSessionExpireInHours(session, 24)
+
+		session, _ = th.Service.CreateSession(session)
+
+		demotedUser, err := th.Service.Store.User().DemoteUserToGuest(user.Id)
+		require.NoError(t, err)
+		require.Equal(t, model.SystemGuestRoleId, demotedUser.Roles)
+
+		err = th.Service.UpdateSessionsIsGuest(demotedUser, true)
+		require.NoError(t, err)
+
+		session, err = th.Service.GetSession(session.Id)
+		require.NoError(t, err)
+		require.Equal(t, model.SystemGuestRoleId, session.Roles)
+		require.Equal(t, "true", session.Props[model.SessionPropIsGuest])
+	})
+
+	t.Run("Test session is promoted", func(t *testing.T) {
+		user := th.CreateUserOrGuest(true)
+
+		session := &model.Session{}
+		session.CreateAt = model.GetMillis()
+		session.UserId = user.Id
+		session.Token = model.NewId()
+		session.Roles = "fake_role"
+		th.Service.SetSessionExpireInHours(session, 24)
+
+		session, _ = th.Service.CreateSession(session)
+
+		err := th.Service.Store.User().PromoteGuestToUser(user.Id)
+		require.NoError(t, err)
+
+		promotedUser, err := th.Service.Store.User().Get(context.Background(), user.Id)
+		require.NoError(t, err)
+		err = th.Service.UpdateSessionsIsGuest(promotedUser, false)
+		require.NoError(t, err)
+
+		session, err = th.Service.GetSession(session.Id)
+		require.NoError(t, err)
+		require.Equal(t, model.SystemUserRoleId, session.Roles)
+		require.Equal(t, "false", session.Props[model.SessionPropIsGuest])
+	})
+}

@@ -2299,7 +2299,7 @@ func (a *App) PromoteGuestToUser(c *request.Context, user *model.User, requestor
 		c.Logger().Warn("Failed to get user on promote guest to user", mlog.Err(err))
 	} else {
 		a.sendUpdatedUserEvent(*promotedUser)
-		if uErr := a.ch.srv.platform.UpdateSessionsIsGuest(promotedUser.Id, promotedUser.IsGuest()); uErr != nil {
+		if uErr := a.ch.srv.platform.UpdateSessionsIsGuest(promotedUser, promotedUser.IsGuest()); uErr != nil {
 			c.Logger().Warn("Unable to update user sessions", mlog.String("user_id", promotedUser.Id), mlog.Err(uErr))
 		}
 	}
@@ -2344,7 +2344,7 @@ func (a *App) DemoteUserToGuest(c request.CTX, user *model.User) *model.AppError
 	}
 
 	a.sendUpdatedUserEvent(*demotedUser)
-	if uErr := a.ch.srv.platform.UpdateSessionsIsGuest(demotedUser.Id, demotedUser.IsGuest()); uErr != nil {
+	if uErr := a.ch.srv.platform.UpdateSessionsIsGuest(demotedUser, demotedUser.IsGuest()); uErr != nil {
 		c.Logger().Warn("Unable to update user sessions", mlog.String("user_id", demotedUser.Id), mlog.Err(uErr))
 	}