pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-29 14:06:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

set roles 1:1 on auto provision

Browse Source
This commit is contained in:
miloschwartz
2026-03-28 17:29:01 -07:00
parent 7bcb852dba
commit c6f269b3fa
1 changed files with 16 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
server/routers/idp/validateOidcCallback.ts
View File

@@ -579,30 +579,28 @@ export async function validateOidcCallback(
}
}
// Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
const userRolesInOrgs = await trx
.select()
.from(userOrgRoles)
.where(eq(userOrgRoles.userId, userId!));
// Sync roles 1:1 with IdP policy for existing auto-provisioned orgs
for (const currentOrg of autoProvisionedOrgs) {
const newRole = userOrgInfo.find(
(newOrg) => newOrg.orgId === currentOrg.orgId
);
if (!newRole) continue;
const currentRolesInOrg = userRolesInOrgs.filter(
(r) => r.orgId === currentOrg.orgId
);
for (const roleId of newRole.roleIds) {
const hasIdpRole = currentRolesInOrg.some(
(r) => r.roleId === roleId
await trx
.delete(userOrgRoles)
.where(
and(
eq(userOrgRoles.userId, userId!),
eq(userOrgRoles.orgId, currentOrg.orgId)
)
);
if (!hasIdpRole) {
await trx.insert(userOrgRoles).values({
userId: userId!,
orgId: currentOrg.orgId,
roleId
});
}
for (const roleId of newRole.roleIds) {
await trx.insert(userOrgRoles).values({
userId: userId!,
orgId: currentOrg.orgId,
roleId
});
}
}