1
0
forked from baron/baron-sso

fix: improve keto sync reliability and initial rebac permissions for super admin

This commit is contained in:
2026-04-06 10:10:27 +09:00
parent bd296f9425
commit 583755c189
11 changed files with 254 additions and 81 deletions

View File

@@ -2,11 +2,23 @@ import { Namespace, Subject, Context, SubjectSet } from "@ory/keto-definitions"
class User implements Namespace {}
class System implements Namespace {
related: {
super_admins: User[]
authenticated_users: User[]
}
permits = {
manage_all: (ctx: Context): boolean =>
this.related.super_admins.includes(ctx.subject)
}
}
class Tenant implements Namespace {
related: {
owners: User[]
admins: User[]
members: User[]
owners: (User | SubjectSet<System, "super_admins">)[]
admins: (User | SubjectSet<System, "super_admins">)[]
members: (User | SubjectSet<System, "super_admins"> | SubjectSet<Tenant, "admins"> | SubjectSet<Tenant, "owners">)[]
parents: Tenant[]
}
@@ -33,9 +45,9 @@ class Tenant implements Namespace {
class RelyingParty implements Namespace {
related: {
admins: User[]
admins: (User | SubjectSet<System, "super_admins"> | SubjectSet<Tenant, "admins"> | SubjectSet<Tenant, "owners">)[]
parents: Tenant[]
access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users">)[]
access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[]
}
permits = {
@@ -52,15 +64,3 @@ class RelyingParty implements Namespace {
this.permits.manage(ctx)
}
}
class System implements Namespace {
related: {
super_admins: User[]
authenticated_users: User[]
}
permits = {
manage_all: (ctx: Context): boolean =>
this.related.super_admins.includes(ctx.subject)
}
}

View File

@@ -156,4 +156,4 @@
"authorizer": { "handler": "allow" },
"mutators": [{ "handler": "noop" }]
}
]
]