UpdateUserRoles updates the site roles of a user. The validation for this function include more than just a basic RBAC check.
(ctx context.Context, arg database.UpdateUserRolesParams)
| 7549 | // UpdateUserRoles updates the site roles of a user. The validation for this function include more than |
| 7550 | // just a basic RBAC check. |
| 7551 | func (q *querier) UpdateUserRoles(ctx context.Context, arg database.UpdateUserRolesParams) (database.User, error) { |
| 7552 | // We need to fetch the user being updated to identify the change in roles. |
| 7553 | // This requires read access on the user in question, since the user is |
| 7554 | // returned from this function. |
| 7555 | user, err := fetch(q.log, q.auth, q.db.GetUserByID)(ctx, arg.ID) |
| 7556 | if err != nil { |
| 7557 | return database.User{}, err |
| 7558 | } |
| 7559 | |
| 7560 | // The member role is always implied. |
| 7561 | impliedTypes := append(q.convertToDeploymentRoles(arg.GrantedRoles), rbac.RoleMember()) |
| 7562 | // If the changeset is nothing, less rbac checks need to be done. |
| 7563 | added, removed := rbac.ChangeRoleSet(q.convertToDeploymentRoles(user.RBACRoles), impliedTypes) |
| 7564 | err = q.canAssignRoles(ctx, uuid.Nil, added, removed) |
| 7565 | if err != nil { |
| 7566 | return database.User{}, err |
| 7567 | } |
| 7568 | |
| 7569 | return q.db.UpdateUserRoles(ctx, arg) |
| 7570 | } |
| 7571 | |
| 7572 | func (q *querier) UpdateUserSecretByUserIDAndName(ctx context.Context, arg database.UpdateUserSecretByUserIDAndNameParams) (database.UserSecret, error) { |
| 7573 | obj := rbac.ResourceUserSecret.WithOwner(arg.UserID.String()) |
nothing calls this directly
no test coverage detected