kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

feat: prevent self-removal and last admin/owner removal in tenant handler

Browse Source
This commit is contained in:
조찬영
2026-03-19 11:12:42 +09:00
parent 4b42249609
commit a6c552236f
1 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
backend/internal/handler/tenant_handler.go
View File

@@ -539,6 +539,30 @@ func (h *TenantHandler) RemoveAdmin(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
}
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
if profile.ID == userID {
return errorJSON(c, fiber.StatusBadRequest, "cannot remove yourself from admin role")
}
}
if h.Keto != nil {
if relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "admins", ""); err == nil {
adminCount := 0
isTargetAdmin := false
for _, rel := range relations {
if strings.HasPrefix(rel.SubjectID, "User:") {
adminCount++
if rel.SubjectID == "User:"+userID {
isTargetAdmin = true
}
}
}
if isTargetAdmin && adminCount <= 1 {
return errorJSON(c, fiber.StatusBadRequest, "cannot remove the last admin")
}
}
}
if h.KetoOutbox != nil {
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
Namespace: "Tenant",
@@ -646,6 +670,30 @@ func (h *TenantHandler) RemoveOwner(c *fiber.Ctx) error {
return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
}
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
if profile.ID == userID {
return errorJSON(c, fiber.StatusBadRequest, "cannot remove yourself from owner role")
}
}
if h.Keto != nil {
if relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "owners", ""); err == nil {
ownerCount := 0
isTargetOwner := false
for _, rel := range relations {
if strings.HasPrefix(rel.SubjectID, "User:") {
ownerCount++
if rel.SubjectID == "User:"+userID {
isTargetOwner = true
}
}
}
if isTargetOwner && ownerCount <= 1 {
return errorJSON(c, fiber.StatusBadRequest, "cannot remove the last owner")
}
}
}
if h.KetoOutbox != nil {
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
Namespace: "Tenant",