Merge origin/dev into dev

2026-06-15 20:05:47 +09:00
parent 4d468cd39f 50ce44c236
commit 202c783920
67 changed files with 6933 additions and 3919 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -4928,6 +4928,125 @@ func (h *AuthHandler) hydrateResolvedProfile(ctx context.Context, profile *domai
 		}
 	}

+	if h.KetoService != nil {
+		subject := "User:" + profile.ID
+		var sp domain.SystemPermissions
+
+		if profile.Role == "super_admin" {
+			sp = domain.SystemPermissions{
+				Overview:                true,
+				Tenants:                 true,
+				OrgChart:                true,
+				Worksmobile:             true,
+				OrySSOT:                 true,
+				DataIntegrity:           true,
+				Users:                   true,
+				PermissionsDirect:       true,
+				AuthGuard:               true,
+				ApiKeys:                 true,
+				AuditLogs:               true,
+				ManageOverview:          true,
+				ManageTenants:           true,
+				ManageOrgChart:          true,
+				ManageWorksmobile:       true,
+				ManageOrySSOT:           true,
+				ManageDataIntegrity:     true,
+				ManageUsers:             true,
+				ManagePermissionsDirect: true,
+				ManageAuthGuard:         true,
+				ManageApiKeys:           true,
+				ManageAuditLogs:         true,
+			}
+		} else {
+			// Query Keto in parallel for maximum performance
+			type checkResult struct {
+				menu    string
+				allowed bool
+			}
+			menus := map[string]string{
+				"overview":                  "access_overview",
+				"manage_overview":           "manage_overview",
+				"tenants":                   "access_tenants",
+				"manage_tenants":            "manage_tenants",
+				"org_chart":                 "access_org_chart",
+				"manage_org_chart":          "manage_org_chart",
+				"worksmobile":               "access_worksmobile",
+				"manage_worksmobile":        "manage_worksmobile",
+				"ory_ssot":                  "access_ory_ssot",
+				"manage_ory_ssot":           "manage_ory_ssot",
+				"data_integrity":            "access_data_integrity",
+				"manage_data_integrity":     "manage_data_integrity",
+				"users":                     "access_users",
+				"manage_users":              "manage_users",
+				"permissions_direct":        "access_permissions_direct",
+				"manage_permissions_direct": "manage_permissions_direct",
+				"auth_guard":                "access_auth_guard",
+				"manage_auth_guard":         "manage_auth_guard",
+				"api_keys":                  "access_api_keys",
+				"manage_api_keys":           "manage_api_keys",
+				"audit_logs":                "access_audit_logs",
+				"manage_audit_logs":         "manage_audit_logs",
+			}
+			ch := make(chan checkResult, len(menus))
+			for m, rel := range menus {
+				go func(menuName, relation string) {
+					allowed, _ := h.KetoService.CheckPermission(ctx, subject, "System", "system", relation)
+					ch <- checkResult{menu: menuName, allowed: allowed}
+				}(m, rel)
+			}
+			for range menus {
+				res := <-ch
+				switch res.menu {
+				case "overview":
+					sp.Overview = res.allowed
+				case "manage_overview":
+					sp.ManageOverview = res.allowed
+				case "tenants":
+					sp.Tenants = res.allowed
+				case "manage_tenants":
+					sp.ManageTenants = res.allowed
+				case "org_chart":
+					sp.OrgChart = res.allowed
+				case "manage_org_chart":
+					sp.ManageOrgChart = res.allowed
+				case "worksmobile":
+					sp.Worksmobile = res.allowed
+				case "manage_worksmobile":
+					sp.ManageWorksmobile = res.allowed
+				case "ory_ssot":
+					sp.OrySSOT = res.allowed
+				case "manage_ory_ssot":
+					sp.ManageOrySSOT = res.allowed
+				case "data_integrity":
+					sp.DataIntegrity = res.allowed
+				case "manage_data_integrity":
+					sp.ManageDataIntegrity = res.allowed
+				case "users":
+					sp.Users = res.allowed
+				case "manage_users":
+					sp.ManageUsers = res.allowed
+				case "permissions_direct":
+					sp.PermissionsDirect = res.allowed
+				case "manage_permissions_direct":
+					sp.ManagePermissionsDirect = res.allowed
+				case "auth_guard":
+					sp.AuthGuard = res.allowed
+				case "manage_auth_guard":
+					sp.ManageAuthGuard = res.allowed
+				case "api_keys":
+					sp.ApiKeys = res.allowed
+				case "manage_api_keys":
+					sp.ManageApiKeys = res.allowed
+				case "audit_logs":
+					sp.AuditLogs = res.allowed
+				case "manage_audit_logs":
+					sp.ManageAuditLogs = res.allowed
+				}
+			}
+		}
+		profile.SystemPermissions = &sp
+	}
+
 	return profile
 }

@@ -8426,7 +8545,7 @@ func buildHydraAuthorizationURL(clientID string, scopes []string, redirectURIs [
 	seen := map[string]struct{}{}
 	for _, scope := range append([]string{"openid"}, scopes...) {
 		scope = strings.TrimSpace(scope)
-		if scope == "" || isRefreshTokenScopeAlias(scope) {
+		if scope == "" || isLegacyRefreshTokenScopeAlias(scope) {
 			continue
 		}
 		if _, ok := seen[scope]; ok {