RoleByName returns the permissions associated with a given role name. This allows just the role names to be stored and expanded when required. This function is exported so that the Display name can be returned to the api. We should maybe make an exported function that returns just the human-readabl
(name RoleIdentifier)
| 843 | // api. We should maybe make an exported function that returns just the |
| 844 | // human-readable content of the Role struct (name + display name). |
| 845 | func RoleByName(name RoleIdentifier) (Role, error) { |
| 846 | roleFunc, ok := builtInRoles[name.Name] |
| 847 | if !ok { |
| 848 | // No role found |
| 849 | return Role{}, xerrors.Errorf("role %q not found", name.String()) |
| 850 | } |
| 851 | |
| 852 | // Ensure all org roles are properly scoped a non-empty organization id. |
| 853 | // This is just some defensive programming. |
| 854 | role := roleFunc(name.OrganizationID) |
| 855 | if len(role.ByOrgID) > 0 && name.OrganizationID == uuid.Nil { |
| 856 | return Role{}, xerrors.Errorf("expect a org id for role %q", name.String()) |
| 857 | } |
| 858 | |
| 859 | // This can happen if a custom role shares the same name as a built-in role. |
| 860 | // You could make an org role called "owner", and we should not return the |
| 861 | // owner role itself. |
| 862 | if name.OrganizationID != role.Identifier.OrganizationID { |
| 863 | return Role{}, xerrors.Errorf("role %q not found", name.String()) |
| 864 | } |
| 865 | |
| 866 | return role, nil |
| 867 | } |
| 868 | |
| 869 | func rolesByNames(roleNames []RoleIdentifier) ([]Role, error) { |
| 870 | roles := make([]Role, 0, len(roleNames)) |