fix: TeamManager admin rules, close role self-escalation, escalate-only resync (#27)
TeamManager could not manage the roster: updateRule allowed self-update
only and deleteRule was superuser-only. The same self-update rule also
left a privilege escalation open — it did not restrict fields, so any
authenticated user could PATCH their own role to "admin".
- team_members rules (migration 1781000003 + base migration + setup
script mirror):
update: (@request.auth.id = id && @request.body.role:isset = false)
|| @request.auth.role = "admin"
delete: @request.auth.role = "admin"
Self-service onboarding keeps working (it never touches role); the
role field is admin-only; deletion is admin-only.
- pb_hooks/team_members.pb.js: the ENTRA_ADMIN_EMAILS resync is now
escalate-only — it guarantees admin for allow-list members on every
login but no longer demotes, otherwise every TeamManager promotion
would revert on the member's next sign-in (ADR-004 amended).
- TeamManager.jsx: info text updated to the new behaviour.
Verified with a two-identity mock-OIDC matrix (11/11): allow-list vs
regular login, self-escalation blocked while onboarding self-update
still works, cross-user update/delete blocked, admin promote/demote/
delete work, promotion survives the member's next login, allow-list
admin stays admin. Regression: #22 matrix 9/9, #24 matrix 8/8, #18
harness 15/15, npm test 112/112, eslint clean.
Closes #27
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -41,14 +41,17 @@ onRecordCreate(function (e) {
|
||||
e.next();
|
||||
}, "team_members");
|
||||
|
||||
// On every successful auth (incl. OIDC): keep the admin role in sync with the
|
||||
// allow-list, so promoting/demoting an admin only requires an env change.
|
||||
// On every successful auth (incl. OIDC): guarantee the admin role for
|
||||
// allow-list members. ESCALATE-ONLY (#27): the allow-list grants admin, it no
|
||||
// longer demotes — otherwise every role promotion made through TeamManager
|
||||
// would be reverted on the member's next login. Demotion runs through
|
||||
// TeamManager; allow-list members cannot be demoted (the list wins on their
|
||||
// next login).
|
||||
onRecordAuthRequest(function (e) {
|
||||
const { resolveRole } = require(`${__hooks}/utils.js`);
|
||||
const email = e.record.get("email") || "";
|
||||
const want = resolveRole(email);
|
||||
if (e.record.get("role") !== want) {
|
||||
e.record.set("role", want);
|
||||
if (resolveRole(email) === "admin" && e.record.get("role") !== "admin") {
|
||||
e.record.set("role", "admin");
|
||||
e.app.save(e.record);
|
||||
}
|
||||
e.next();
|
||||
|
||||
Reference in New Issue
Block a user