[PR #3295] Fix default IdP validation for resource policies in global identity-provider mode #36934

Open
opened 2026-06-18 22:11:40 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/3295
Author: @Copilot
Created: 6/16/2026
Status: 🔄 Open

Base: dependabot/npm_and_yarn/dev-minor-updates-4bbcce3681Head: copilot/fix-default-identity-provider


📝 Commits (3)

  • fec0fea Initial plan
  • ad1c811 fix: allow default IdP validation in global mode policies
  • 3b68139 fix: clarify IdP validation messages across policy flows

📊 Changes

3 files changed (+66 additions, -16 deletions)

View changed files

📝 server/lib/blueprints/resourcePolicies.ts (+21 -8)
📝 server/private/routers/policy/createResourcePolicy.ts (+24 -3)
📝 server/routers/policy/setResourcePolicyAccessControl.ts (+21 -5)

📄 Description

After 1.19.x resource-policy migration, saving a default identity provider could fail with Identity provider not found in this organization even when the IdP was valid in global mode. This PR aligns policy IdP validation with IDENTITY_PROVIDER_MODE semantics so global IdPs are accepted where appropriate.

  • Validation semantics update (policy access-control + policy creation)

    • Updated IdP checks to first validate idp.idpId existence.
    • Only enforce idpOrg(orgId) linkage when IDENTITY_PROVIDER_MODE === "org".
  • Blueprint parity

    • Applied the same mode-aware validation to resource policy blueprint ingestion (auto-login-idp) to keep import/update behavior consistent with API routes.
  • Error-path clarity

    • Split existence vs org-association failures so global-mode misses are not incorrectly reported as org-scoped.
const [provider] = await db.select().from(idp).where(eq(idp.idpId, idpId)).limit(1);
if (!provider) throw/createHttpError(..., "Identity provider not found");

if (process.env.IDENTITY_PROVIDER_MODE === "org") {
  const [providerOrg] = await db
    .select()
    .from(idpOrg)
    .where(and(eq(idpOrg.idpId, idpId), eq(idpOrg.orgId, orgId)))
    .limit(1);

  if (!providerOrg) throw/createHttpError(..., "Identity provider not found in this organization");
}

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/3295 **Author:** [@Copilot](https://github.com/apps/copilot-swe-agent) **Created:** 6/16/2026 **Status:** 🔄 Open **Base:** `dependabot/npm_and_yarn/dev-minor-updates-4bbcce3681` ← **Head:** `copilot/fix-default-identity-provider` --- ### 📝 Commits (3) - [`fec0fea`](https://github.com/fosrl/pangolin/commit/fec0fea76660898e724094b0a92106576f86eae3) Initial plan - [`ad1c811`](https://github.com/fosrl/pangolin/commit/ad1c8113ead6058868989234da09573cb2f94b91) fix: allow default IdP validation in global mode policies - [`3b68139`](https://github.com/fosrl/pangolin/commit/3b681398733df59e77c5ba477264a93267ab941e) fix: clarify IdP validation messages across policy flows ### 📊 Changes **3 files changed** (+66 additions, -16 deletions) <details> <summary>View changed files</summary> 📝 `server/lib/blueprints/resourcePolicies.ts` (+21 -8) 📝 `server/private/routers/policy/createResourcePolicy.ts` (+24 -3) 📝 `server/routers/policy/setResourcePolicyAccessControl.ts` (+21 -5) </details> ### 📄 Description After 1.19.x resource-policy migration, saving a default identity provider could fail with `Identity provider not found in this organization` even when the IdP was valid in global mode. This PR aligns policy IdP validation with `IDENTITY_PROVIDER_MODE` semantics so global IdPs are accepted where appropriate. - **Validation semantics update (policy access-control + policy creation)** - Updated IdP checks to first validate `idp.idpId` existence. - Only enforce `idpOrg(orgId)` linkage when `IDENTITY_PROVIDER_MODE === "org"`. - **Blueprint parity** - Applied the same mode-aware validation to resource policy blueprint ingestion (`auto-login-idp`) to keep import/update behavior consistent with API routes. - **Error-path clarity** - Split existence vs org-association failures so global-mode misses are not incorrectly reported as org-scoped. ```ts const [provider] = await db.select().from(idp).where(eq(idp.idpId, idpId)).limit(1); if (!provider) throw/createHttpError(..., "Identity provider not found"); if (process.env.IDENTITY_PROVIDER_MODE === "org") { const [providerOrg] = await db .select() .from(idpOrg) .where(and(eq(idpOrg.idpId, idpId), eq(idpOrg.orgId, orgId))) .limit(1); if (!providerOrg) throw/createHttpError(..., "Identity provider not found in this organization"); } ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-18 22:11:40 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#36934