From ae15e1887b3b699f6fa40f99f7666eb8eefef28c Mon Sep 17 00:00:00 2001 From: Stephan D Date: Mon, 24 Nov 2025 15:03:10 +0100 Subject: [PATCH] better error checks --- api/pkg/auth/internal/native/enforcer.go | 6 ++++++ api/server/interface/accountservice/internal/service.go | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/api/pkg/auth/internal/native/enforcer.go b/api/pkg/auth/internal/native/enforcer.go index 848d4fb..974309d 100644 --- a/api/pkg/auth/internal/native/enforcer.go +++ b/api/pkg/auth/internal/native/enforcer.go @@ -47,6 +47,12 @@ func (n *Enforcer) Enforce( permissionRef, accountRef, organizationRef, objectRef primitive.ObjectID, action model.Action, ) (bool, error) { + if organizationRef.IsZero() { + n.logger.Warn("Missing organization context", mzap.ObjRef("account_ref", accountRef), + mzap.ObjRef("organization_ref", organizationRef), mzap.ObjRef("permission_ref", permissionRef), + mzap.ObjRef("object", objectRef), zap.String("action", string(action))) + return false, merrors.InvalidArgument("organization context missing", "organizationRef") + } roleAssignments, err := n.rdb.Roles(ctx, accountRef, organizationRef) if errors.Is(err, merrors.ErrNoData) { n.logger.Debug("No roles defined for account", mzap.ObjRef("account_ref", accountRef)) diff --git a/api/server/interface/accountservice/internal/service.go b/api/server/interface/accountservice/internal/service.go index 8e16058..4a6e38f 100644 --- a/api/server/interface/accountservice/internal/service.go +++ b/api/server/interface/accountservice/internal/service.go @@ -252,8 +252,8 @@ func (s *service) JoinOrganization( AccountRef: account.ID, } if err := s.roleManager.Assign(ctx, role); err != nil { - s.logger.Warn("Failed to assign role to account", - zap.Error(err), mzap.StorableRef(account), mzap.StorableRef(org)) + s.logger.Warn("Failed to assign role to account", zap.Error(err), mzap.StorableRef(account), + mzap.StorableRef(org), mzap.ObjRef("role_description_ref", roleDescID)) return err } return nil