(ctx context.Context, arg database.UpdateMemberRolesParams)
| 6942 | } |
| 6943 | |
| 6944 | func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemberRolesParams) (database.OrganizationMember, error) { |
| 6945 | // Authorized fetch will check that the actor has read access to the org member since the org member is returned. |
| 6946 | member, err := database.ExpectOne(q.OrganizationMembers(ctx, database.OrganizationMembersParams{ |
| 6947 | OrganizationID: arg.OrgID, |
| 6948 | UserID: arg.UserID, |
| 6949 | IncludeSystem: false, |
| 6950 | GithubUserID: 0, |
| 6951 | })) |
| 6952 | if err != nil { |
| 6953 | return database.OrganizationMember{}, err |
| 6954 | } |
| 6955 | |
| 6956 | originalRoles, err := q.convertToOrganizationRoles(member.OrganizationMember.OrganizationID, member.OrganizationMember.Roles) |
| 6957 | if err != nil { |
| 6958 | return database.OrganizationMember{}, xerrors.Errorf("convert original roles: %w", err) |
| 6959 | } |
| 6960 | |
| 6961 | // The 'rbac' package expects role names to be scoped. |
| 6962 | // Convert the argument roles for validation. |
| 6963 | scopedGranted, err := q.convertToOrganizationRoles(arg.OrgID, arg.GrantedRoles) |
| 6964 | if err != nil { |
| 6965 | return database.OrganizationMember{}, err |
| 6966 | } |
| 6967 | |
| 6968 | // The org member role is always implied. |
| 6969 | //nolint:gocritic |
| 6970 | impliedTypes := append(scopedGranted, rbac.ScopedRoleOrgMember(arg.OrgID)) |
| 6971 | |
| 6972 | added, removed := rbac.ChangeRoleSet(originalRoles, impliedTypes) |
| 6973 | err = q.canAssignRoles(ctx, arg.OrgID, added, removed) |
| 6974 | if err != nil { |
| 6975 | return database.OrganizationMember{}, err |
| 6976 | } |
| 6977 | |
| 6978 | return q.db.UpdateMemberRoles(ctx, arg) |
| 6979 | } |
| 6980 | |
| 6981 | func (q *querier) UpdateMemoryResourceMonitor(ctx context.Context, arg database.UpdateMemoryResourceMonitorParams) error { |
| 6982 | if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceWorkspaceAgentResourceMonitor); err != nil { |
nothing calls this directly
no test coverage detected