fix: allow default IdP validation in global mode policies

2026-06-17 21:01:53 +00:00 · 2026-06-16 23:43:36 +00:00
parent fec0fea766
commit ad1c8113ea
3 changed files with 63 additions and 13 deletions
--- a/server/routers/policy/setResourcePolicyAccessControl.ts
+++ b/server/routers/policy/setResourcePolicyAccessControl.ts
@@ -107,10 +107,7 @@ export async function setResourcePolicyAccessControl(
            const [provider] = await db
                .select()
                .from(idp)
-                .innerJoin(idpOrg, eq(idpOrg.idpId, idp.idpId))
-                .where(
-                    and(eq(idp.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
-                )
+                .where(eq(idp.idpId, idpId))
                .limit(1);

            if (!provider) {
@@ -121,6 +118,25 @@ export async function setResourcePolicyAccessControl(
                    )
                );
            }
+
+            if (process.env.IDENTITY_PROVIDER_MODE === "org") {
+                const [providerOrg] = await db
+                    .select()
+                    .from(idpOrg)
+                    .where(
+                        and(eq(idpOrg.idpId, idpId), eq(idpOrg.orgId, policy.orgId))
+                    )
+                    .limit(1);
+
+                if (!providerOrg) {
+                    return next(
+                        createHttpError(
+                            HttpCode.INTERNAL_SERVER_ERROR,
+                            "Identity provider not found in this organization"
+                        )
+                    );
+                }
+            }
        }

        // Check if any of the roleIds are admin roles