calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-06-05 23:28:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Get user resources from the right table

Browse Source
This commit is contained in:
Owen
2026-06-03 16:53:39 -07:00
parent d00b737412
commit bc6fd0b399
4 changed files with 53 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
server/db/queries/verifySessionQueries.ts
View File

@@ -47,6 +47,7 @@ export type ResourceWithAuth = {
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
applyRules: boolean;
sso: boolean;
emailWhitelistEnabled: boolean;
org: Org;
};
@@ -222,12 +223,16 @@ export async function getResourceByDomain(
const effectiveApplyRules =
selectedPolicy?.applyRules ?? result.resources.applyRules;
const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
const effectiveEmailWhitelistEnabled =
selectedPolicy?.emailWhitelistEnabled ??
result.resources.emailWhitelistEnabled;
return {
resource: {
...result.resources,
applyRules: effectiveApplyRules,
sso: effectiveSSO
sso: effectiveSSO,
emailWhitelistEnabled: effectiveEmailWhitelistEnabled
}, // doing this for backward compatability so the remote nodes get the value as part of the resource struct
pincode: effectivePolicyPincode ?? result.resourcePincode,
password: effectivePolicyPassword ?? result.resourcePassword,
@@ -242,6 +247,7 @@ export async function getResourceByDomain(
: result.resourceHeaderAuthExtendedCompatibility,
applyRules: effectiveApplyRules,
sso: effectiveSSO,
emailWhitelistEnabled: effectiveEmailWhitelistEnabled,
org: result.orgs
};
}

12
server/private/routers/hybrid.ts
View File

@@ -216,6 +216,9 @@ export type ResourceWithAuth = {
password: ResourcePassword | ResourcePolicyPassword | null;
headerAuth: ResourceHeaderAuth | ResourcePolicyHeaderAuth | null;
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
applyRules: boolean;
sso: boolean;
emailWhitelistEnabled: boolean;
org: Org;
};
@@ -687,12 +690,16 @@ hybridRouter.get(
const effectiveApplyRules =
selectedPolicy?.applyRules ?? result.resources.applyRules;
const effectiveSSO = selectedPolicy?.sso ?? result.resources.sso;
const effectiveEmailWhitelistEnabled =
selectedPolicy?.emailWhitelistEnabled ??
result.resources.emailWhitelistEnabled;
const resourceWithAuth: ResourceWithAuth = {
resource: {
...result.resources,
applyRules: effectiveApplyRules,
sso: effectiveSSO
sso: effectiveSSO,
emailWhitelistEnabled: effectiveEmailWhitelistEnabled
},
pincode: effectivePolicyPincode ?? result.resourcePincode,
password: effectivePolicyPassword ?? result.resourcePassword,
@@ -706,6 +713,9 @@ hybridRouter.get(
effectivePolicyHeaderAuth.extendedCompatibility
} as ResourceHeaderAuthExtendedCompatibility)
: result.resourceHeaderAuthExtendedCompatibility,
applyRules: effectiveApplyRules,
sso: effectiveSSO,
emailWhitelistEnabled: effectiveEmailWhitelistEnabled,
org: result.orgs
};

10
server/routers/badger/verifySession.ts
View File

@@ -146,6 +146,7 @@ export async function verifyResourceSession(
headerAuthExtendedCompatibility: ResourceHeaderAuthExtendedCompatibility | null;
applyRules: boolean;
sso: boolean;
emailWhitelistEnabled: boolean;
org: Org;
}
| undefined = localCache.get(resourceCacheKey);
@@ -182,6 +183,7 @@ export async function verifyResourceSession(
pincode,
password,
headerAuth,
emailWhitelistEnabled,
headerAuthExtendedCompatibility
} = resourceData;
@@ -279,7 +281,7 @@ export async function verifyResourceSession(
!sso &&
!pincode &&
!password &&
!resource.emailWhitelistEnabled &&
!emailWhitelistEnabled &&
!headerAuth
) {
logger.debug("Resource allowed because no auth");
@@ -464,7 +466,7 @@ export async function verifyResourceSession(
!sso &&
!pincode &&
!password &&
!resource.emailWhitelistEnabled &&
!emailWhitelistEnabled &&
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
) {
logRequestAudit(
@@ -486,7 +488,7 @@ export async function verifyResourceSession(
!sso &&
!pincode &&
!password &&
!resource.emailWhitelistEnabled &&
!emailWhitelistEnabled &&
!headerAuthExtendedCompatibility?.extendedCompatibilityIsActivated
) {
logRequestAudit(
@@ -634,7 +636,7 @@ export async function verifyResourceSession(
}
if (
resource.emailWhitelistEnabled &&
emailWhitelistEnabled &&
(resourceSession.whitelistId ||
resourceSession.policyWhitelistId)
) {

33
server/routers/resource/getUserResources.ts
View File

@@ -80,14 +80,32 @@ export async function getUserResources(
const directResourcesQuery = db
.select({ resourceId: userResources.resourceId })
.from(userResources)
.where(eq(userResources.userId, userId));
.innerJoin(
resources,
eq(userResources.resourceId, resources.resourceId)
)
.where(
and(
eq(userResources.userId, userId),
eq(resources.orgId, orgId)
)
);
const roleResourcesQuery =
userRoleIds.length > 0
? db
.select({ resourceId: roleResources.resourceId })
.from(roleResources)
.where(inArray(roleResources.roleId, userRoleIds))
.innerJoin(
resources,
eq(roleResources.resourceId, resources.resourceId)
)
.where(
and(
inArray(roleResources.roleId, userRoleIds),
eq(resources.orgId, orgId)
)
)
: Promise.resolve([]);
const directPolicyResourcesQuery = db
@@ -97,7 +115,9 @@ export async function getUserResources(
userPolicies,
eq(effectiveResourcePolicyId, userPolicies.resourcePolicyId)
)
.where(eq(userPolicies.userId, userId));
.where(
and(eq(userPolicies.userId, userId), eq(resources.orgId, orgId))
);
const rolePolicyResourcesQuery =
userRoleIds.length > 0
@@ -111,7 +131,12 @@ export async function getUserResources(
rolePolicies.resourcePolicyId
)
)
.where(inArray(rolePolicies.roleId, userRoleIds))
.where(
and(
inArray(rolePolicies.roleId, userRoleIds),
eq(resources.orgId, orgId)
)
)
: Promise.resolve([]);
const directSiteResourcesQuery = db