fix: improve keto sync reliability and initial rebac permissions for super admin

2026-04-06 10:10:27 +09:00
parent bd296f9425
commit 583755c189
11 changed files with 254 additions and 81 deletions
--- a/backend/internal/handler/dev_handler.go
+++ b/backend/internal/handler/dev_handler.go
@@ -363,8 +363,8 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 			return false, nil
 		}

-		// Check with Keto: System:AppManager#member
-		allowed, err := h.Keto.CheckPermission(c.Context(), subject, "System", "AppManager", "member")
+		// Check with Keto: System:global#manage_all
+		allowed, err := h.Keto.CheckPermission(c.Context(), subject, "System", "global", "manage_all")
 		if err != nil {
 			// Fail closed for dev private endpoints: deny on permission backend error.
 			slog.Warn("Dev private permission check failed; denying access", "subject", subject, "error", err)
@@ -442,8 +442,8 @@ func (h *DevHandler) checkAppManagerPermission(c *fiber.Ctx) (bool, error) {
 		}
 	}

-	// Check with Keto: System:AppManager#member
-	allowed, err := h.Keto.CheckPermission(c.Context(), tokenSubject, "System", "AppManager", "member")
+	// Check with Keto: System:global#manage_all
+	allowed, err := h.Keto.CheckPermission(c.Context(), tokenSubject, "System", "global", "manage_all")
 	if err != nil {
 		// Fail closed for dev private endpoints: deny on permission backend error.
 		slog.Warn("Dev private permission check failed; denying access", "subject", tokenSubject, "error", err)