Code-review follow-ups: policy, docs, seed_admin behaviour
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
- Use OidcRoleSyncContext for set_role_from_oidc_sync; document JWT peek risk. - seed_admin without password sets Admin role on existing user (OIDC-only); update docs and test. - Fix DE translation for 'access this page'; add get? true comment in User.
This commit is contained in:
parent
d573a22769
commit
c5f1fdce0a
7 changed files with 51 additions and 19 deletions
|
|
@ -258,6 +258,7 @@ defmodule Mv.Accounts.User do
|
|||
end
|
||||
|
||||
read :sign_in_with_rauthy do
|
||||
# Single record expected; required for AshAuthentication OAuth2 strategy (returns list of 0 or 1).
|
||||
get? true
|
||||
argument :user_info, :map, allow_nil?: false
|
||||
argument :oauth_tokens, :map, allow_nil?: false
|
||||
|
|
@ -356,10 +357,10 @@ defmodule Mv.Accounts.User do
|
|||
end
|
||||
|
||||
# set_role_from_oidc_sync: internal only (called from Mv.OidcRoleSync on registration/sign-in).
|
||||
# Not exposed in code_interface; must never be callable by clients.
|
||||
# Not exposed in code_interface; only allowed when context.private.oidc_role_sync is set.
|
||||
bypass action(:set_role_from_oidc_sync) do
|
||||
description "Internal: OIDC role sync (server-side only)"
|
||||
authorize_if always()
|
||||
authorize_if Mv.Authorization.Checks.OidcRoleSyncContext
|
||||
end
|
||||
|
||||
# UPDATE/DESTROY via HasPermission (evaluates PermissionSets scope)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue