From 44a995c6606e3e69eaa024573583d4a918c87ee3 Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Fri, 3 Feb 2023 08:56:19 +0100 Subject: [PATCH] fix: only remove idp links from users of own organisation (#5156) ensure linked users of the (instance) idp are only affected if they are part of the organisation where the idp is removed from the login policy --- internal/api/grpc/management/policy_login.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/internal/api/grpc/management/policy_login.go b/internal/api/grpc/management/policy_login.go index 59b8f74a5a..d3df45bc87 100644 --- a/internal/api/grpc/management/policy_login.go +++ b/internal/api/grpc/management/policy_login.go @@ -93,17 +93,22 @@ func (s *Server) AddIDPToLoginPolicy(ctx context.Context, req *mgmt_pb.AddIDPToL } func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *mgmt_pb.RemoveIDPFromLoginPolicyRequest) (*mgmt_pb.RemoveIDPFromLoginPolicyResponse, error) { + orgID := authz.GetCtxData(ctx).OrgID idpQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(req.IdpId) if err != nil { return nil, err } + resourceOwnerQuery, err := query.NewIDPUserLinksResourceOwnerSearchQuery(orgID) + if err != nil { + return nil, err + } userLinks, err := s.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{ - Queries: []query.SearchQuery{idpQuery}, + Queries: []query.SearchQuery{idpQuery, resourceOwnerQuery}, }, false) if err != nil { return nil, err } - objectDetails, err := s.command.RemoveIDPFromLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(userLinks.Links)...) + objectDetails, err := s.command.RemoveIDPFromLoginPolicy(ctx, orgID, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(userLinks.Links)...) if err != nil { return nil, err }