diff --git a/support/iam/src/basic/serv/iam_cert_mail_vcode_serv.rs b/support/iam/src/basic/serv/iam_cert_mail_vcode_serv.rs index 2a437cffa..aa8f3e99c 100644 --- a/support/iam/src/basic/serv/iam_cert_mail_vcode_serv.rs +++ b/support/iam/src/basic/serv/iam_cert_mail_vcode_serv.rs @@ -273,7 +273,8 @@ impl IamCertMailVCodeServ { if cached_vcode == input_vcode { let rel_rbum_cert_conf_id = IamCertServ::get_cert_conf_id_by_kind(IamCertKernelKind::MailVCode.to_string().as_str(), Some(IamTenantServ::get_id_by_ctx(&ctx, funs)?), funs).await?; - let id = if Self::check_bind_mail(mail, vec![rel_rbum_cert_conf_id.clone()], &ctx.owner.clone(), funs, &ctx).await.is_ok() { + Self::check_mail_bound(mail, vec![rel_rbum_cert_conf_id.clone()], funs, &ctx).await?; + let id = if Self::check_account_bind_mail(vec![rel_rbum_cert_conf_id.clone()], &ctx.owner.clone(), funs, &ctx).await.is_ok() { RbumCertServ::add_rbum( &mut RbumCertAddReq { ak: TrimString(mail.trim().to_string()), @@ -342,7 +343,7 @@ impl IamCertMailVCodeServ { Err(funs.err().unauthorized("iam_cert_mail_vcode", "activate", "email or verification code error", "401-iam-cert-valid")) } - pub async fn check_bind_mail(mail: &str, rel_rbum_cert_conf_ids: Vec, rel_rbum_id: &str, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<()> { + async fn check_account_bind_mail(rel_rbum_cert_conf_ids: Vec, rel_rbum_id: &str, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<()> { // check bind or not if RbumCertServ::count_rbums( &RbumCertFilterReq { @@ -364,6 +365,10 @@ impl IamCertMailVCodeServ { { return Err(funs.err().conflict("iam_cert_mail_vcode", "bind", "email already exist bind", "409-iam-cert-email-bind-already-exist")); } + Ok(()) + } + + async fn check_mail_bound(mail: &str, rel_rbum_cert_conf_ids: Vec, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<()> { // check existence or not if RbumCertServ::count_rbums( &RbumCertFilterReq { diff --git a/support/iam/src/basic/serv/iam_cert_phone_vcode_serv.rs b/support/iam/src/basic/serv/iam_cert_phone_vcode_serv.rs index ac6f82a2e..614346a8a 100644 --- a/support/iam/src/basic/serv/iam_cert_phone_vcode_serv.rs +++ b/support/iam/src/basic/serv/iam_cert_phone_vcode_serv.rs @@ -297,7 +297,8 @@ impl IamCertPhoneVCodeServ { if cached_vcode == input_vcode { let rel_rbum_cert_conf_id = IamCertServ::get_cert_conf_id_by_kind(IamCertKernelKind::PhoneVCode.to_string().as_str(), Some(IamTenantServ::get_id_by_ctx(&ctx, funs)?), funs).await?; - let id = if Self::check_bind_phone(phone, vec![rel_rbum_cert_conf_id.clone()], &ctx.owner.clone(), funs, &ctx).await.is_ok() { + Self::check_phone_bound(phone, vec![rel_rbum_cert_conf_id.clone()], funs, &ctx).await?; + let id = if Self::check_account_bind_phone(vec![rel_rbum_cert_conf_id.clone()], &ctx.owner.clone(), funs, &ctx).await.is_ok() { RbumCertServ::add_rbum( &mut RbumCertAddReq { ak: TrimString(phone.trim().to_string()), @@ -365,7 +366,7 @@ impl IamCertPhoneVCodeServ { Err(funs.err().unauthorized("iam_cert_phone_vcode", "bind", "phone or verification code error", "401-iam-cert-valid")) } - pub async fn check_bind_phone(phone: &str, rel_rbum_cert_conf_ids: Vec, rel_rbum_id: &str, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<()> { + async fn check_account_bind_phone(rel_rbum_cert_conf_ids: Vec, rel_rbum_id: &str, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<()> { // check bind or not if RbumCertServ::count_rbums( &RbumCertFilterReq { @@ -387,6 +388,10 @@ impl IamCertPhoneVCodeServ { { return Err(funs.err().conflict("iam_cert_phone_vcode", "bind", "phone already exist bind", "409-iam-cert-phone-bind-already-exist")); } + Ok(()) + } + + async fn check_phone_bound(phone: &str, rel_rbum_cert_conf_ids: Vec, funs: &TardisFunsInst, ctx: &TardisContext) -> TardisResult<()> { // check existence or not if RbumCertServ::count_rbums( &RbumCertFilterReq { diff --git a/support/iam/src/basic/serv/iam_rel_serv.rs b/support/iam/src/basic/serv/iam_rel_serv.rs index 2f7a32a97..6dcefd57e 100644 --- a/support/iam/src/basic/serv/iam_rel_serv.rs +++ b/support/iam/src/basic/serv/iam_rel_serv.rs @@ -427,10 +427,12 @@ impl IamRelServ { // 1) Find the list of roles associated with a menu or element resource (ready to remove the binding to the API resource from the cache) let sys_ctx = IamCertServ::use_sys_ctx_unsafe(ctx.clone())?; let rel_role_ids = Self::find_from_id_rels(&IamRelKind::IamResRole, true, res_other_id, None, None, funs, &sys_ctx).await?; + let rel_api_role_ids = Self::find_from_id_rels(&IamRelKind::IamResRole, true, res_api_id, None, None, funs, &sys_ctx).await?; + let rel_api_res_ids = Self::find_from_id_rels(&IamRelKind::IamResApi, true, res_api_id, None, None, funs, &sys_ctx).await?; let mut remove_role_ids = Vec::new(); for rel_role_id in rel_role_ids { // 2) If an API resource is explicitly associated with a role, it cannot be removed - if Self::exist_rels(&IamRelKind::IamResRole, res_api_id, &rel_role_id, funs, &sys_ctx).await? { + if rel_api_role_ids.contains(&rel_role_id) { continue; } // 3) Find the list of resources associated with the associated role (indirect relationship) @@ -442,7 +444,7 @@ impl IamRelServ { .collect::>(); // 5) If these associated resources are explicitly associated with API resources, they cannot be removed for rel_res_id in rel_res_ids { - if Self::exist_rels(&IamRelKind::IamResApi, res_api_id, &rel_res_id, funs, &sys_ctx).await? { + if rel_api_res_ids.contains(&rel_res_id) { break; } }