ReconcileSystemRole compares the given role's permissions against the desired permissions produced by the permissions function based on the organization's settings. If they differ, the DB row is updated. Uses set-based comparison so permission ordering doesn't matter. Returns the correct role and a
( ctx context.Context, tx database.Store, in database.CustomRole, org database.Organization, )
| 284 | // IMPORTANT: Callers must hold database.LockIDReconcileSystemRoles |
| 285 | // for the duration of the enclosing transaction. |
| 286 | func ReconcileSystemRole( |
| 287 | ctx context.Context, |
| 288 | tx database.Store, |
| 289 | in database.CustomRole, |
| 290 | org database.Organization, |
| 291 | ) (database.CustomRole, bool, error) { |
| 292 | permsFunc, ok := systemRoles[in.Name] |
| 293 | if !ok { |
| 294 | panic("dev error: no permissions function exists for role " + in.Name) |
| 295 | } |
| 296 | |
| 297 | // All fields except OrgPermissions and MemberPermissions will be the same. |
| 298 | out := in |
| 299 | |
| 300 | // Paranoia check: we don't use these in custom roles yet. |
| 301 | out.SitePermissions = database.CustomRolePermissions{} |
| 302 | out.UserPermissions = database.CustomRolePermissions{} |
| 303 | out.DisplayName = "" |
| 304 | |
| 305 | inOrgPerms := ConvertDBPermissions(in.OrgPermissions) |
| 306 | inMemberPerms := ConvertDBPermissions(in.MemberPermissions) |
| 307 | |
| 308 | outPerms := permsFunc(orgSettings(org)) |
| 309 | |
| 310 | match := rbac.PermissionsEqual(inOrgPerms, outPerms.Org) && |
| 311 | rbac.PermissionsEqual(inMemberPerms, outPerms.Member) |
| 312 | |
| 313 | if !match { |
| 314 | out.OrgPermissions = ConvertPermissionsToDB(outPerms.Org) |
| 315 | out.MemberPermissions = ConvertPermissionsToDB(outPerms.Member) |
| 316 | |
| 317 | _, err := tx.UpdateCustomRole(ctx, database.UpdateCustomRoleParams{ |
| 318 | Name: out.Name, |
| 319 | OrganizationID: out.OrganizationID, |
| 320 | DisplayName: out.DisplayName, |
| 321 | SitePermissions: out.SitePermissions, |
| 322 | UserPermissions: out.UserPermissions, |
| 323 | OrgPermissions: out.OrgPermissions, |
| 324 | MemberPermissions: out.MemberPermissions, |
| 325 | }) |
| 326 | if err != nil { |
| 327 | return out, !match, xerrors.Errorf("update %s system role for organization %s: %w", |
| 328 | in.Name, in.OrganizationID.UUID, err) |
| 329 | } |
| 330 | } |
| 331 | |
| 332 | return out, !match, nil |
| 333 | } |
| 334 | |
| 335 | // orgSettings maps database.Organization fields to the |
| 336 | // rbac.OrgSettings struct, bridging the database and rbac packages |