pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-04-01 15:36:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

set roles 1:1 on auto provision

Browse Source
This commit is contained in:
miloschwartz
2026-03-28 17:29:01 -07:00
parent 7bcb852dba
commit c6f269b3fa
1 changed files with 16 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
server/routers/idp/validateOidcCallback.ts
View File

@@ -579,24 +579,23 @@ export async function validateOidcCallback(
} }
} }
// Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles) // Sync roles 1:1 with IdP policy for existing auto-provisioned orgs
const userRolesInOrgs = await trx
.select()
.from(userOrgRoles)
.where(eq(userOrgRoles.userId, userId!));
for (const currentOrg of autoProvisionedOrgs) { for (const currentOrg of autoProvisionedOrgs) {
const newRole = userOrgInfo.find( const newRole = userOrgInfo.find(
(newOrg) => newOrg.orgId === currentOrg.orgId (newOrg) => newOrg.orgId === currentOrg.orgId
); );
if (!newRole) continue; if (!newRole) continue;
const currentRolesInOrg = userRolesInOrgs.filter(
(r) => r.orgId === currentOrg.orgId await trx
.delete(userOrgRoles)
.where(
and(
eq(userOrgRoles.userId, userId!),
eq(userOrgRoles.orgId, currentOrg.orgId)
)
); );
for (const roleId of newRole.roleIds) { for (const roleId of newRole.roleIds) {
const hasIdpRole = currentRolesInOrg.some(
(r) => r.roleId === roleId
);
if (!hasIdpRole) {
await trx.insert(userOrgRoles).values({ await trx.insert(userOrgRoles).values({
userId: userId!, userId: userId!,
orgId: currentOrg.orgId, orgId: currentOrg.orgId,
@@ -604,7 +603,6 @@ export async function validateOidcCallback(
}); });
} }
} }
}
// Add new orgs that don't exist yet (these will be auto-provisioned) // Add new orgs that don't exist yet (these will be auto-provisioned)
const orgsToAdd = userOrgInfo.filter( const orgsToAdd = userOrgInfo.filter(