Conversation
The AWS Auditor CloudShell script used `cat <<EOF ... EOF` to build the trust policy. If copy/paste mangled the EOF marker (whitespace added, line concatenated, or content truncated), bash kept reading lines looking for EOF, hit end-of-file, and failed with: here-document at line 71 delimited by end-of-file (wanted 'EOF') command substitution: line 105: unexpected EOF while looking for matching ')' Replaced the heredoc with inline single-quoted JSON, matching the Remediation script's existing pattern. Same IAM role, same policies, same trust relationship — byte-identical commands sent to AWS, just delivered via a more robust bash syntax. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(portal): resolve RBAC permissions instead of checking role names The previous hasPortalAccess checked role names against BUILT_IN_ROLE_PERMISSIONS — unrecognized roles (like better-auth's default "member") caused false denials. Now resolves the user's full RBAC permissions by merging all roles (built-in + custom from DB), then checks for portal:read or compliance obligation. Also removes incorrect 'use server' directive. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): remove compliance obligation from owner and admin roles Owner and admin roles manage compliance — they don't complete compliance tasks themselves. Users who need to complete employee tasks (sign policies, watch training, install device agent) should have the employee role added explicitly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): restore compliance obligation for owner role Owners are typically the initial user and should complete compliance tasks by default. Admins still need the employee role added explicitly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(auth): remove portal permissions from admin role Admins manage compliance through the main app — they don't need portal access by default. Add the employee role to grant portal access and compliance tasks, matching the CX team's workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix(portal): show access denied message instead of redirect loop When a user lacks portal access, render a clear message telling them to ask their admin for the employee role — instead of redirecting to / which would loop back to the org page. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test(rbac): add portal access matrix tests and fix permission regression tests Add portal-access.spec.ts verifying the role → portal access matrix: employee/contractor/owner → ALLOW, admin/auditor/member → DENY, admin+employee → ALLOW. Prevents regressions in portal gating logic. Update permissions-regression.spec.ts: admin no longer has portal or compliance, finding is read/update only for owner/admin (not full CRUD), fix ESM mocks for better-auth server imports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Mariano Fuentes <marfuen98@gmail.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.54.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Fix portal access by resolving RBAC across all roles and remove default portal access/compliance from admins. Users without access now see a clear in-app message instead of a redirect loop.
Bug Fixes
portalactions exist or compliance is required. Unknown roles (e.g.member) are ignored, not denied.@trycompai/auth: removeportalpermissions and compliance obligation fromadmin; keepownercompliance. Enforcefindingread/update-only for owner/admin.use serverdirective.Migration
employeerole to their account.Written for commit 9316c6d. Summary will update on new commits.