From 48cfb7cfa685e3711b05447de946baec6c566150 Mon Sep 17 00:00:00 2001 From: sysops Date: Sat, 4 Apr 2026 19:51:42 +0200 Subject: [PATCH] fix: auditor immer globalen Index nutzen, tenant_id ignorieren auditor-Rolle hat evtl. tenant_id gesetzt (historisch), soll aber trotzdem immer den globalen Index durchsuchen und nur No-Tenant-Mails sehen. tenant_id auf auditor-User per DB-Migration auf NULL gesetzt. Co-Authored-By: Claude Sonnet 4.6 --- internal/api/search_handlers.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/internal/api/search_handlers.go b/internal/api/search_handlers.go index f4611e0..a9a7fba 100644 --- a/internal/api/search_handlers.go +++ b/internal/api/search_handlers.go @@ -94,10 +94,12 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) { // PROJ-21 Phase 4: Use per-tenant index when available; fall back to // global index + post-filter when the tenant index manager is not wired. + // auditor always uses the global index — they see no-tenant mails only, + // regardless of any tenant_id on their user record. tenantID := tenantFromCtx(r.Context()) searchIdx := s.idx usedTenantIndex := false - if s.idxMgr != nil && tenantID != nil { + if s.idxMgr != nil && tenantID != nil && sess.Role != userstore.RoleAuditor { searchIdx = s.idxMgr.ForTenant(tenantID) usedTenantIndex = true } @@ -111,7 +113,7 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) { // Fallback tenant isolation: post-filter when we used the global index // but the user belongs to a tenant. This is the legacy path; the per-tenant // index path above makes this unnecessary. - if tenantID != nil && !usedTenantIndex && len(result.Hits) > 0 { + if tenantID != nil && !usedTenantIndex && len(result.Hits) > 0 && sess.Role != userstore.RoleAuditor { allowedIDs, idErr := s.store.GetAllIDsByTenant(r.Context(), tenantID) if idErr == nil { allowed := make(map[string]struct{}, len(allowedIDs))