forked from baron/baron-sso
feat: prevent self-removal and last admin/owner removal in tenant handler
This commit is contained in:
@@ -539,6 +539,30 @@ func (h *TenantHandler) RemoveAdmin(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
|
return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
|
||||||
|
if profile.ID == userID {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "cannot remove yourself from admin role")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.Keto != nil {
|
||||||
|
if relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "admins", ""); err == nil {
|
||||||
|
adminCount := 0
|
||||||
|
isTargetAdmin := false
|
||||||
|
for _, rel := range relations {
|
||||||
|
if strings.HasPrefix(rel.SubjectID, "User:") {
|
||||||
|
adminCount++
|
||||||
|
if rel.SubjectID == "User:"+userID {
|
||||||
|
isTargetAdmin = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if isTargetAdmin && adminCount <= 1 {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "cannot remove the last admin")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if h.KetoOutbox != nil {
|
if h.KetoOutbox != nil {
|
||||||
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
||||||
Namespace: "Tenant",
|
Namespace: "Tenant",
|
||||||
@@ -646,6 +670,30 @@ func (h *TenantHandler) RemoveOwner(c *fiber.Ctx) error {
|
|||||||
return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
|
return errorJSON(c, fiber.StatusBadRequest, "tenantId and userId are required")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
|
||||||
|
if profile.ID == userID {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "cannot remove yourself from owner role")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if h.Keto != nil {
|
||||||
|
if relations, err := h.Keto.ListRelations(c.Context(), "Tenant", tenantID, "owners", ""); err == nil {
|
||||||
|
ownerCount := 0
|
||||||
|
isTargetOwner := false
|
||||||
|
for _, rel := range relations {
|
||||||
|
if strings.HasPrefix(rel.SubjectID, "User:") {
|
||||||
|
ownerCount++
|
||||||
|
if rel.SubjectID == "User:"+userID {
|
||||||
|
isTargetOwner = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if isTargetOwner && ownerCount <= 1 {
|
||||||
|
return errorJSON(c, fiber.StatusBadRequest, "cannot remove the last owner")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if h.KetoOutbox != nil {
|
if h.KetoOutbox != nil {
|
||||||
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
_ = h.KetoOutbox.Create(c.Context(), &domain.KetoOutbox{
|
||||||
Namespace: "Tenant",
|
Namespace: "Tenant",
|
||||||
|
|||||||
Reference in New Issue
Block a user