Moritz
99722dee26
Register and sign-in call apply_admin_role_from_user_info; users in configured admin group get Admin role, others get Mitglied. Internal User action + bypass policy.
22 lines
899 B
Elixir
22 lines
899 B
Elixir
defmodule Mv.Authorization.Checks.OidcRoleSyncContext do
|
|
@moduledoc """
|
|
Policy check: true when the action is being run from OIDC role sync (context.private.oidc_role_sync).
|
|
|
|
Used to allow the internal set_role_from_oidc_sync action when called by Mv.OidcRoleSync
|
|
without an actor.
|
|
"""
|
|
use Ash.Policy.SimpleCheck
|
|
|
|
@impl true
|
|
def describe(_opts), do: "called from OIDC role sync (context.private.oidc_role_sync)"
|
|
|
|
@impl true
|
|
def match?(_actor, authorizer, _opts) do
|
|
# Context from opts (e.g. Ash.update!(..., context: %{private: %{oidc_role_sync: true}}))
|
|
context = Map.get(authorizer, :context) || %{}
|
|
from_context = get_in(context, [:private, :oidc_role_sync]) == true
|
|
# When update runs inside create's after_action, context may not be passed; use process dict.
|
|
from_process = Process.get(:oidc_role_sync) == true
|
|
from_context or from_process
|
|
end
|
|
end
|