Skip to content

Commit

Permalink
Improve user delete and update for sub organizations
Browse files Browse the repository at this point in the history
  • Loading branch information
ShanChathusanda93 committed Apr 24, 2024
1 parent 547c875 commit 81fbe65
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.handler.event.account.lock.constants.AccountConstants;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
import org.wso2.carbon.identity.role.mgt.core.IdentityRoleManagementException;
import org.wso2.carbon.identity.role.mgt.core.util.UserIDResolver;
import org.wso2.carbon.identity.scim2.common.cache.SCIMCustomAttributeSchemaCache;
Expand Down Expand Up @@ -948,4 +950,20 @@ public static String getLoggedInUserID() throws CharonException {
throw new CharonException("Error occurred while retrieving super admin ID.", e);
}
}

/**
* Check whether the given tenant domain is an organization.
*
* @param tenantDomain Tenant domain of the request
* @return True if the tenant domain is an organization.
* @throws CharonException If an error occurred while checking the organization state.
*/
public static boolean isOrganization(String tenantDomain) throws CharonException {

try {
return OrganizationManagementUtil.isOrganization(tenantDomain);
} catch (OrganizationManagementException e) {
throw new CharonException("Error occurred while checking the organization state.", e);
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import javax.ws.rs.core.Response;

import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.buildCustomSchema;
import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantDomain;
import static org.wso2.carbon.identity.scim2.provider.util.SupportUtils.getTenantId;

@Path("/")
Expand Down Expand Up @@ -151,13 +152,16 @@ public Response deleteUser(@PathParam(SCIMProviderConstants.ID) String id,
// obtain the user store manager
UserManager userManager = IdentitySCIMManager.getInstance().getUserManager();

String superAdminID = AdminAttributeUtil.getSuperAdminID();
String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
if (LOG.isDebugEnabled()) {
LOG.debug("Do not have permission to delete SuperAdmin user.");
// Skipping this validation if the request comes from a sub organization.
if (!SCIMCommonUtils.isOrganization(getTenantDomain())) {
String superAdminID = AdminAttributeUtil.getSuperAdminID();
String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
if (LOG.isDebugEnabled()) {
LOG.debug("Do not have permission to delete SuperAdmin user.");
}
return Response.status(Response.Status.FORBIDDEN).build();
}
return Response.status(Response.Status.FORBIDDEN).build();
}

// create charon-SCIM user resource manager and hand-over the request.
Expand Down Expand Up @@ -348,13 +352,16 @@ public Response patchUser(@PathParam(SCIMConstants.CommonSchemaConstants.ID) Str
// obtain the user store manager
UserManager userManager = IdentitySCIMManager.getInstance().getUserManager();

String superAdminID = AdminAttributeUtil.getSuperAdminID();
String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
if (LOG.isDebugEnabled()) {
LOG.debug("Do not have permission to patch SuperAdmin user.");
// Skipping this validation if the request comes from a sub organization.
if (!SCIMCommonUtils.isOrganization(getTenantDomain())) {
String superAdminID = AdminAttributeUtil.getSuperAdminID();
String loggedInUser = SCIMCommonUtils.getLoggedInUserID();
if ((superAdminID.equals(id)) && (!loggedInUser.equals(id))) {
if (LOG.isDebugEnabled()) {
LOG.debug("Do not have permission to patch SuperAdmin user.");
}
return Response.status(Response.Status.FORBIDDEN).build();
}
return Response.status(Response.Status.FORBIDDEN).build();
}

// Build Custom schema
Expand Down

0 comments on commit 81fbe65

Please sign in to comment.