diff --git a/backend/core/src/main/java/org/opencdmp/service/user/UserServiceImpl.java b/backend/core/src/main/java/org/opencdmp/service/user/UserServiceImpl.java index 0bd2c495f..7f36055f2 100644 --- a/backend/core/src/main/java/org/opencdmp/service/user/UserServiceImpl.java +++ b/backend/core/src/main/java/org/opencdmp/service/user/UserServiceImpl.java @@ -364,6 +364,10 @@ public class UserServiceImpl implements UserService { this.eventBroker.emit(new UserTouchedEvent(data.getId())); this.syncKeycloakRoles(data.getId()); + + if (model.getRoles().stream().noneMatch(authorizationConfiguration.getAuthorizationProperties().getAllowedTenantRoles()::contains)){ + this.deleteTenantUser(model.getId()); + } this.userTouchedIntegrationEventHandler.handle(data.getId()); return this.builderFactory.builder(UserBuilder.class).authorize(AuthorizationFlags.AllExceptPublic).build(BaseFieldSet.build(fields, User._id), data); @@ -448,6 +452,16 @@ public class UserServiceImpl implements UserService { } + private void deleteTenantUser(UUID userId) throws InvalidApplicationException { + if (!this.tenantScope.isSet()) throw new MyForbiddenException("tenant scope required"); + if (this.tenantScope.isDefaultTenant()) return; + + TenantUserEntity tenantUser = this.queryFactory.query(TenantUserQuery.class).isActive(IsActive.Active).userIds(userId).tenantIds(this.tenantScope.getTenant()).first(); + if (tenantUser == null) throw new MyApplicationException("tenant user not found"); + + this.deleterFactory.deleter(TenantUserDeleter.class).delete(List.of(tenantUser)); + } + //region mine @Override