UserRBACSubject fetches a user's rbac.Subject from the database. It pulls all roles from both site and organization scopes. It also pulls the groups, and the user's status.
(ctx context.Context, db database.Store, userID uuid.UUID, scope rbac.ExpandableScope)
| 897 | // UserRBACSubject fetches a user's rbac.Subject from the database. It pulls all roles from both |
| 898 | // site and organization scopes. It also pulls the groups, and the user's status. |
| 899 | func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, scope rbac.ExpandableScope) (rbac.Subject, database.UserStatus, error) { |
| 900 | //nolint:gocritic // system needs to update user roles |
| 901 | roles, err := db.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), userID) |
| 902 | if err != nil { |
| 903 | return rbac.Subject{}, "", xerrors.Errorf("get authorization user roles: %w", err) |
| 904 | } |
| 905 | |
| 906 | roleNames, err := roles.RoleNames() |
| 907 | if err != nil { |
| 908 | return rbac.Subject{}, "", xerrors.Errorf("expand role names: %w", err) |
| 909 | } |
| 910 | |
| 911 | //nolint:gocritic // Permission to lookup custom roles the user has assigned. |
| 912 | rbacRoles, err := rolestore.Expand(dbauthz.AsSystemRestricted(ctx), db, roleNames) |
| 913 | if err != nil { |
| 914 | return rbac.Subject{}, "", xerrors.Errorf("expand role names: %w", err) |
| 915 | } |
| 916 | |
| 917 | actor := rbac.Subject{ |
| 918 | Type: rbac.SubjectTypeUser, |
| 919 | FriendlyName: roles.Username, |
| 920 | Email: roles.Email, |
| 921 | ID: userID.String(), |
| 922 | Roles: rbacRoles, |
| 923 | Groups: roles.Groups, |
| 924 | Scope: scope, |
| 925 | }.WithCachedASTValue() |
| 926 | return actor, roles.Status, nil |
| 927 | } |
| 928 | |
| 929 | // APITokenFromRequest returns the api token from the request. |
| 930 | // Find the session token from: |