kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

fix: 권한이나 소속이 변경되지 않았을 때 Keto 권한 릴레이션이 불필요하게 삭제 후 재생성되는 버그 수정

Browse Source
This commit is contained in:
조찬영
2026-03-25 17:01:55 +09:00
parent aad4ea84a1
commit ab9cbfc897
1 changed files with 30 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
backend/internal/handler/user_handler.go
View File

@@ -1404,13 +1404,23 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
newRole = domain.NormalizeRole(newRole) newRole = domain.NormalizeRole(newRole)
oldRole = domain.NormalizeRole(oldRole) oldRole = domain.NormalizeRole(oldRole)
newTID := ""
if newTenantID != nil {
newTID = *newTenantID
}
if h.KetoOutboxRepo == nil { if h.KetoOutboxRepo == nil {
return return
} }
if oldRole == newRole && oldTenantID == newTID {
return // Nothing changed
}
// 1. Handle Role Changes // 1. Handle Role Changes
// Remove old roles
if oldRole == domain.RoleSuperAdmin { if oldRole == domain.RoleSuperAdmin {
// Only remove super_admin if the role actually changed (tenant change doesn't matter for global roles)
if oldRole != newRole {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{ _ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
Namespace: "System", Namespace: "System",
Object: "global", Object: "global",
@@ -1418,6 +1428,7 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
Subject: "User:" + userID, Subject: "User:" + userID,
Action: domain.KetoOutboxActionDelete, Action: domain.KetoOutboxActionDelete,
}) })
}
} else if oldRole == domain.RoleTenantAdmin && oldTenantID != "" { } else if oldRole == domain.RoleTenantAdmin && oldTenantID != "" {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{ _ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
Namespace: "Tenant", Namespace: "Tenant",
@@ -1430,6 +1441,7 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
// Add new roles // Add new roles
if newRole == domain.RoleSuperAdmin { if newRole == domain.RoleSuperAdmin {
if oldRole != newRole {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{ _ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
Namespace: "System", Namespace: "System",
Object: "global", Object: "global",
@@ -1437,10 +1449,11 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
Subject: "User:" + userID, Subject: "User:" + userID,
Action: domain.KetoOutboxActionCreate, Action: domain.KetoOutboxActionCreate,
}) })
} else if newRole == domain.RoleTenantAdmin && newTenantID != nil { }
} else if newRole == domain.RoleTenantAdmin && newTID != "" {
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{ _ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
Namespace: "Tenant", Namespace: "Tenant",
Object: *newTenantID, Object: newTID,
Relation: "admins", Relation: "admins",
Subject: "User:" + userID, Subject: "User:" + userID,
Action: domain.KetoOutboxActionCreate, Action: domain.KetoOutboxActionCreate,
@@ -1448,11 +1461,6 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
} }
// 2. Handle Tenant Membership (for count) // 2. Handle Tenant Membership (for count)
newTID := ""
if newTenantID != nil {
newTID = *newTenantID
}
if oldTenantID != newTID { if oldTenantID != newTID {
// Remove from old tenant // Remove from old tenant
if oldTenantID != "" { if oldTenantID != "" {