fix: always assign saas-vendor role to admin user
The admin user needs platform:admin to create tenants via the vendor console. Previously the saas-vendor role was only created when VENDOR_SEED_ENABLED=true (for a separate vendor user). Now the role is always created and assigned to the admin user. VENDOR_SEED_ENABLED only controls creating the separate vendor user. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
@@ -407,8 +407,33 @@ else
|
||||
}")
|
||||
ADMIN_USER_ID=$(echo "$ADMIN_RESPONSE" | jq -r '.id')
|
||||
log "Created platform owner: $ADMIN_USER_ID"
|
||||
# No global role assigned — owner role is org-scoped.
|
||||
# SaaS vendor role is injected via docker/vendor-seed.sh on hosted environments.
|
||||
fi
|
||||
|
||||
# --- Always create saas-vendor role and assign to admin user ---
|
||||
# The admin user needs platform:admin to manage tenants via the vendor console.
|
||||
log "Ensuring saas-vendor role exists..."
|
||||
EXISTING_ROLES=$(api_get "/api/roles")
|
||||
VENDOR_ROLE_ID=$(echo "$EXISTING_ROLES" | jq -r '.[] | select(.name == "saas-vendor" and .type == "User") | .id')
|
||||
|
||||
if [ -z "$VENDOR_ROLE_ID" ]; then
|
||||
ALL_SCOPE_IDS=$(api_get "/api/resources/$API_RESOURCE_ID/scopes" | jq '[.[].id]')
|
||||
log "Creating saas-vendor role with all scopes..."
|
||||
VENDOR_ROLE_RESPONSE=$(api_post "/api/roles" "{
|
||||
\"name\": \"saas-vendor\",
|
||||
\"description\": \"SaaS vendor — full platform control across all tenants\",
|
||||
\"type\": \"User\",
|
||||
\"scopeIds\": $ALL_SCOPE_IDS
|
||||
}")
|
||||
VENDOR_ROLE_ID=$(echo "$VENDOR_ROLE_RESPONSE" | jq -r '.id')
|
||||
log "Created saas-vendor role: $VENDOR_ROLE_ID"
|
||||
else
|
||||
log "saas-vendor role exists: $VENDOR_ROLE_ID"
|
||||
fi
|
||||
|
||||
# Assign vendor role to admin user
|
||||
if [ -n "$VENDOR_ROLE_ID" ] && [ "$VENDOR_ROLE_ID" != "null" ] && [ -n "$ADMIN_USER_ID" ]; then
|
||||
api_post "/api/users/$ADMIN_USER_ID/roles" "{\"roleIds\": [\"$VENDOR_ROLE_ID\"]}" >/dev/null 2>&1
|
||||
log "Assigned saas-vendor role to admin user."
|
||||
fi
|
||||
|
||||
# --- Grant SaaS admin Logto console access (admin tenant, port 3002) ---
|
||||
@@ -590,28 +615,9 @@ chmod 644 "$BOOTSTRAP_FILE"
|
||||
|
||||
if [ "$VENDOR_SEED_ENABLED" = "true" ]; then
|
||||
log ""
|
||||
log "=== Phase 12: Vendor Seed ==="
|
||||
|
||||
# Create saas-vendor global role with all API scopes
|
||||
log "Checking for saas-vendor role..."
|
||||
EXISTING_ROLES=$(api_get "/api/roles")
|
||||
VENDOR_ROLE_ID=$(echo "$EXISTING_ROLES" | jq -r '.[] | select(.name == "saas-vendor" and .type == "User") | .id')
|
||||
|
||||
if [ -n "$VENDOR_ROLE_ID" ]; then
|
||||
log "saas-vendor role exists: $VENDOR_ROLE_ID"
|
||||
else
|
||||
ALL_SCOPE_IDS=$(api_get "/api/resources/$API_RESOURCE_ID/scopes" | jq '[.[].id]')
|
||||
log "Creating saas-vendor role with all scopes..."
|
||||
VENDOR_ROLE_RESPONSE=$(api_post "/api/roles" "{
|
||||
\"name\": \"saas-vendor\",
|
||||
\"description\": \"SaaS vendor — full platform control across all tenants\",
|
||||
\"type\": \"User\",
|
||||
\"scopeIds\": $ALL_SCOPE_IDS
|
||||
}")
|
||||
VENDOR_ROLE_ID=$(echo "$VENDOR_ROLE_RESPONSE" | jq -r '.id')
|
||||
log "Created saas-vendor role: $VENDOR_ROLE_ID"
|
||||
fi
|
||||
log "=== Phase 12: Vendor Seed (separate vendor user) ==="
|
||||
|
||||
# saas-vendor role already created above — just create the separate vendor user
|
||||
# Create vendor user
|
||||
log "Checking for vendor user '$VENDOR_USER'..."
|
||||
VENDOR_USER_ID=$(api_get "/api/users?search=$VENDOR_USER" | jq -r ".[] | select(.username == \"$VENDOR_USER\") | .id")
|
||||
|
||||
Reference in New Issue
Block a user