local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 67 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

Add OidcRoleSync: apply Admin/Mitglied from OIDC groups

Browse source 
Register and sign-in call apply_admin_role_from_user_info; users in configured
admin group get Admin role, others get Mitglied. Internal User action + bypass policy.
This commit is contained in:
Moritz 2026-02-04 16:18:18 +01:00 committed by moritz
parent a6e35da0f7
commit 99722dee26
4 changed files with 302 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

22
lib/mv/authorization/checks/oidc_role_sync_context.ex Normal file
View file

@ -0,0 +1,22 @@
defmodule Mv.Authorization.Checks.OidcRoleSyncContext do
@moduledoc """
Policy check: true when the action is being run from OIDC role sync (context.private.oidc_role_sync).
Used to allow the internal set_role_from_oidc_sync action when called by Mv.OidcRoleSync
without an actor.
"""
use Ash.Policy.SimpleCheck
@impl true
def describe(_opts), do: "called from OIDC role sync (context.private.oidc_role_sync)"
@impl true
def match?(_actor, authorizer, _opts) do
# Context from opts (e.g. Ash.update!(..., context: %{private: %{oidc_role_sync: true}}))
context = Map.get(authorizer, :context) || %{}
from_context = get_in(context, [:private, :oidc_role_sync]) == true
# When update runs inside create's after_action, context may not be passed; use process dict.
from_process = Process.get(:oidc_role_sync) == true
from_context or from_process
end
end