mirror of
https://github.com/fosrl/pangolin.git
synced 2026-03-31 15:06:42 +00:00
set roles 1:1 on auto provision
This commit is contained in:
miloschwartz
@@ -579,30 +579,28 @@ export async function validateOidcCallback(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Ensure IDP-provided role exists for existing auto-provisioned orgs (add only; never delete other roles)
|
// Sync roles 1:1 with IdP policy for existing auto-provisioned orgs
|
||||||
const userRolesInOrgs = await trx
|
|
||||||
.select()
|
|
||||||
.from(userOrgRoles)
|
|
||||||
.where(eq(userOrgRoles.userId, userId!));
|
|
||||||
for (const currentOrg of autoProvisionedOrgs) {
|
for (const currentOrg of autoProvisionedOrgs) {
|
||||||
const newRole = userOrgInfo.find(
|
const newRole = userOrgInfo.find(
|
||||||
(newOrg) => newOrg.orgId === currentOrg.orgId
|
(newOrg) => newOrg.orgId === currentOrg.orgId
|
||||||
);
|
);
|
||||||
if (!newRole) continue;
|
if (!newRole) continue;
|
||||||
const currentRolesInOrg = userRolesInOrgs.filter(
|
|
||||||
(r) => r.orgId === currentOrg.orgId
|
await trx
|
||||||
);
|
.delete(userOrgRoles)
|
||||||
for (const roleId of newRole.roleIds) {
|
.where(
|
||||||
const hasIdpRole = currentRolesInOrg.some(
|
and(
|
||||||
(r) => r.roleId === roleId
|
eq(userOrgRoles.userId, userId!),
|
||||||
|
eq(userOrgRoles.orgId, currentOrg.orgId)
|
||||||
|
)
|
||||||
);
|
);
|
||||||
if (!hasIdpRole) {
|
|
||||||
await trx.insert(userOrgRoles).values({
|
for (const roleId of newRole.roleIds) {
|
||||||
userId: userId!,
|
await trx.insert(userOrgRoles).values({
|
||||||
orgId: currentOrg.orgId,
|
userId: userId!,
|
||||||
roleId
|
orgId: currentOrg.orgId,
|
||||||
});
|
roleId
|
||||||
}
|
});
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user