calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-17 12:57:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow default IdP validation in global mode policies

Browse Source
This commit is contained in:
copilot-swe-agent[bot]
2026-06-16 23:43:36 +00:00
committed by GitHub
parent fec0fea766
commit ad1c8113ea
3 changed files with 63 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
server/lib/blueprints/resourcePolicies.ts
View File

@@ -74,13 +74,7 @@ export async function updateResourcePolicies(
const [provider] = await trx
.select()
.from(idp)
.innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
.where(
and(
eq(idp.idpId, policyData["auto-login-idp"]),
eq(idpOrg.orgId, orgId)
)
)
.where(eq(idp.idpId, policyData["auto-login-idp"]))
.limit(1);
if (!provider) {
@@ -88,6 +82,25 @@ export async function updateResourcePolicies(
`Identity provider not found for policy '${policyNiceId}' in this organization`
);
}
if (process.env.IDENTITY_PROVIDER_MODE === "org") {
const [providerOrg] = await trx
.select()
.from(idpOrg)
.where(
and(
eq(idpOrg.idpId, policyData["auto-login-idp"]),
eq(idpOrg.orgId, orgId)
)
)
.limit(1);
if (!providerOrg) {
throw new Error(
`Identity provider not found for policy '${policyNiceId}' in this organization`
);
}
}
}
// Look up the admin role

25
server/private/routers/policy/createResourcePolicy.ts
View File

@@ -207,8 +207,7 @@ export async function createResourcePolicy(
const [provider] = await db
.select()
.from(idp)
.innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
.where(and(eq(idp.idpId, skipToIdpId), eq(idpOrg.orgId, orgId)))
.where(eq(idp.idpId, skipToIdpId))
.limit(1);
if (!provider) {
@@ -219,6 +218,28 @@ export async function createResourcePolicy(
)
);
}
if (process.env.IDENTITY_PROVIDER_MODE === "org") {
const [providerOrg] = await db
.select()
.from(idpOrg)
.where(
and(
eq(idpOrg.idpId, skipToIdpId),
eq(idpOrg.orgId, orgId)
)
)
.limit(1);
if (!providerOrg) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Identity provider not found in this organization"
)
);
}
}
}
const adminRole = await db

24
server/routers/policy/setResourcePolicyAccessControl.ts
View File

@@ -107,10 +107,7 @@ export async function setResourcePolicyAccessControl(
const [provider] = await db
.select()
.from(idp)
.innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
.where(
and(eq(idp.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
)
.where(eq(idp.idpId, idpId))
.limit(1);
if (!provider) {
@@ -121,6 +118,25 @@ export async function setResourcePolicyAccessControl(
)
);
}
if (process.env.IDENTITY_PROVIDER_MODE === "org") {
const [providerOrg] = await db
.select()
.from(idpOrg)
.where(
and(eq(idpOrg.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
)
.limit(1);
if (!providerOrg) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Identity provider not found in this organization"
)
);
}
}
}
// Check if any of the roleIds are admin roles