✨ update policy access control

2026-05-11 23:04:59 +00:00 · 2026-03-03 01:33:37 +01:00
parent 033cc62ce7
commit 5c280b024e
6 changed files with 335 additions and 190 deletions
--- a/server/private/routers/policy/createResourcePolicy.ts
+++ b/server/private/routers/policy/createResourcePolicy.ts
@@ -6,6 +6,8 @@ import createHttpError from "http-errors";
 import { fromError } from "zod-validation-error";
 import {
    db,
+    idp,
+    idpOrg,
    orgs,
    resourcePolicies,
    rolePolicies,
@@ -107,15 +109,23 @@ export async function createResourcePolicy(

        const { name, sso, userIds, roleIds, skipToIdpId } = parsedBody.data;

-        const isAuthEnabeld = sso; // other conditions will follow
+        // Check if Identity provider in `skipToIdpId` exists
+        if (skipToIdpId) {
+            const [provider] = await db
+                .select()
+                .from(idp)
+                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
+                .where(and(eq(idp.idpId, skipToIdpId), eq(idpOrg.orgId, orgId)))
+                .limit(1);

-        if (!isAuthEnabeld) {
-            return next(
-                createHttpError(
-                    HttpCode.BAD_REQUEST,
-                    "At least one authentication policy must be set: platform SSO, an authentication method, one-time password, or a rule."
-                )
-            );
+            if (!provider) {
+                return next(
+                    createHttpError(
+                        HttpCode.INTERNAL_SERVER_ERROR,
+                        "Identity provider not found in this organization"
+                    )
+                );
+            }
        }

        const adminRole = await db
@@ -163,7 +173,8 @@ export async function createResourcePolicy(
                    niceId,
                    orgId,
                    name,
-                    sso
+                    sso,
+                    idpId: skipToIdpId
                })
                .returning();