Delete users that are deleted from IDPs

bcgov / nr-forests-access-management

Authorization solution for BC natural resource sector

Apache License 2.0

8 stars 2 forks source link

Delete users that are deleted from IDPs #1641

Closed craigyu closed 3 days ago

craigyu commented 1 month ago

If a user is deactivated, allow their user role assignments to be deleted

Acceptance Criteria:

[x] Inactive user's role assignments can be deleted
[ ] Test with BCeID (if possible) and IDIR
[x] Should fix all 3 DELETE endpoints

ianliuwk1019 commented 2 weeks ago

Ref log (prod):

ianliuwk1019 commented 2 weeks ago

Looks like it is due to a router guard is using a validator which is calling external IDIM service to get back user's information for checking (on target_user, in this case 'RDECAMPO') .

This router_guard "enforce_bceid_by_same_org_guard" is needed for both CREATE and DELETE user_role_assignment endpoint to enforce if a BCeID user is trying to delete another user, it can only delete the user belongs to the same organization. Fixing this "delete inactive user(not found)" might be a bit tricky...

ianliuwk1019 commented 6 days ago

As discussed we will do:

IDIR user can delete inactive user_role from FAM db without needing to retrieve user identity from external: (local setup: IDIR user login)
BCeID user will need to ask app admin to remove inactive user_role due to it needs to verify target user from external service: (local setup: BCeID user login, same organization so it can see the "INACTIVE USER"):