kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

관계 조회 권한 사용자 검색 안내 강화

Browse Source
This commit is contained in:
김용연
2026-04-20 14:54:53 +09:00
parent 7e0680a71c
commit ea387ff6f2
2 changed files with 59 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
backend/internal/handler/dev_handler.go
View File

@@ -695,13 +695,21 @@ func (h *DevHandler) SearchUsers(c *fiber.Ctx) error {
if profile == nil {
return errorJSON(c, fiber.StatusUnauthorized, "unauthorized: authentication required")
}
if !isDevConsoleRoleAllowed(normalizeUserRole(profile.Role)) {
// Tightened Security: Only SuperAdmin bypasses the client-specific manage check.
// Regular users (RoleUser) or RPAdmins must have the 'manage' permit for the requested clientId.
if normalizeUserRole(profile.Role) != domain.RoleSuperAdmin {
clientID := strings.TrimSpace(c.Query("clientId"))
if clientID == "" {
return errorJSON(c, fiber.StatusBadRequest, "clientId is required for user search")
}
summary, err := h.loadClientSummary(c.Context(), clientID)
if clientID == "" || err != nil || !h.canManageClientRelations(c, profile, summary) {
return errorJSON(c, fiber.StatusForbidden, "forbidden")
if err != nil || !h.canManageClientRelations(c, profile, summary) {
// canManageClientRelations checks for 'manage' permit in Keto.
return errorJSON(c, fiber.StatusForbidden, "forbidden: manage permission required for user search")
}
}
if h.KratosAdmin == nil {
return errorJSON(c, fiber.StatusServiceUnavailable, "kratos admin unavailable")
}