forked from baron/baron-sso
fix: 권한이나 소속이 변경되지 않았을 때 Keto 권한 릴레이션이 불필요하게 삭제 후 재생성되는 버그 수정
This commit is contained in:
@@ -1404,20 +1404,31 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
|
|||||||
newRole = domain.NormalizeRole(newRole)
|
newRole = domain.NormalizeRole(newRole)
|
||||||
oldRole = domain.NormalizeRole(oldRole)
|
oldRole = domain.NormalizeRole(oldRole)
|
||||||
|
|
||||||
|
newTID := ""
|
||||||
|
if newTenantID != nil {
|
||||||
|
newTID = *newTenantID
|
||||||
|
}
|
||||||
|
|
||||||
if h.KetoOutboxRepo == nil {
|
if h.KetoOutboxRepo == nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if oldRole == newRole && oldTenantID == newTID {
|
||||||
|
return // Nothing changed
|
||||||
|
}
|
||||||
|
|
||||||
// 1. Handle Role Changes
|
// 1. Handle Role Changes
|
||||||
// Remove old roles
|
|
||||||
if oldRole == domain.RoleSuperAdmin {
|
if oldRole == domain.RoleSuperAdmin {
|
||||||
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
// Only remove super_admin if the role actually changed (tenant change doesn't matter for global roles)
|
||||||
Namespace: "System",
|
if oldRole != newRole {
|
||||||
Object: "global",
|
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
||||||
Relation: "super_admins",
|
Namespace: "System",
|
||||||
Subject: "User:" + userID,
|
Object: "global",
|
||||||
Action: domain.KetoOutboxActionDelete,
|
Relation: "super_admins",
|
||||||
})
|
Subject: "User:" + userID,
|
||||||
|
Action: domain.KetoOutboxActionDelete,
|
||||||
|
})
|
||||||
|
}
|
||||||
} else if oldRole == domain.RoleTenantAdmin && oldTenantID != "" {
|
} else if oldRole == domain.RoleTenantAdmin && oldTenantID != "" {
|
||||||
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
||||||
Namespace: "Tenant",
|
Namespace: "Tenant",
|
||||||
@@ -1430,17 +1441,19 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
|
|||||||
|
|
||||||
// Add new roles
|
// Add new roles
|
||||||
if newRole == domain.RoleSuperAdmin {
|
if newRole == domain.RoleSuperAdmin {
|
||||||
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
if oldRole != newRole {
|
||||||
Namespace: "System",
|
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
||||||
Object: "global",
|
Namespace: "System",
|
||||||
Relation: "super_admins",
|
Object: "global",
|
||||||
Subject: "User:" + userID,
|
Relation: "super_admins",
|
||||||
Action: domain.KetoOutboxActionCreate,
|
Subject: "User:" + userID,
|
||||||
})
|
Action: domain.KetoOutboxActionCreate,
|
||||||
} else if newRole == domain.RoleTenantAdmin && newTenantID != nil {
|
})
|
||||||
|
}
|
||||||
|
} else if newRole == domain.RoleTenantAdmin && newTID != "" {
|
||||||
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
_ = h.KetoOutboxRepo.Create(ctx, &domain.KetoOutbox{
|
||||||
Namespace: "Tenant",
|
Namespace: "Tenant",
|
||||||
Object: *newTenantID,
|
Object: newTID,
|
||||||
Relation: "admins",
|
Relation: "admins",
|
||||||
Subject: "User:" + userID,
|
Subject: "User:" + userID,
|
||||||
Action: domain.KetoOutboxActionCreate,
|
Action: domain.KetoOutboxActionCreate,
|
||||||
@@ -1448,11 +1461,6 @@ func (h *UserHandler) syncKetoRole(ctx context.Context, userID, newRole, oldRole
|
|||||||
}
|
}
|
||||||
|
|
||||||
// 2. Handle Tenant Membership (for count)
|
// 2. Handle Tenant Membership (for count)
|
||||||
newTID := ""
|
|
||||||
if newTenantID != nil {
|
|
||||||
newTID = *newTenantID
|
|
||||||
}
|
|
||||||
|
|
||||||
if oldTenantID != newTID {
|
if oldTenantID != newTID {
|
||||||
// Remove from old tenant
|
// Remove from old tenant
|
||||||
if oldTenantID != "" {
|
if oldTenantID != "" {
|
||||||
|
|||||||
Reference in New Issue
Block a user