MCPcopy
hub / github.com/PatchMon/PatchMon / canAssignRole

Method canAssignRole

server-source-code/internal/handler/users.go:62–87  ·  view source on GitHub ↗

canAssignRole checks whether the calling user is allowed to assign the target role.

(r *http.Request, callerRole, targetRole string)

Source from the content-addressed store, hash-verified

60
61// canAssignRole checks whether the calling user is allowed to assign the target role.
62func (h *UsersHandler) canAssignRole(r *http.Request, callerRole, targetRole string) bool {
63 // admin and superadmin bypass permission checks in middleware,
64 // but we still enforce hierarchy here.
65 if targetRole == "superadmin" {
66 // Only superadmin can assign superadmin.
67 if callerRole == "superadmin" {
68 return true
69 }
70 // Non-superadmin must have can_manage_superusers.
71 if callerRole == "admin" {
72 // admins don't have can_manage_superusers by default
73 return false
74 }
75 perm, err := h.permissions.GetByRole(r.Context(), callerRole)
76 if err != nil || perm == nil {
77 return false
78 }
79 return perm.CanManageSuperusers
80 }
81 if targetRole == "admin" {
82 // Only superadmin can assign admin.
83 return callerRole == "superadmin"
84 }
85 // For other roles, caller must be at least as privileged.
86 return roleRank(callerRole) >= roleRank(targetRole)
87}
88
89// List returns paginated users.
90func (h *UsersHandler) List(w http.ResponseWriter, r *http.Request) {

Callers 2

CreateMethod · 0.95
UpdateMethod · 0.95

Calls 2

roleRankFunction · 0.85
GetByRoleMethod · 0.80

Tested by

no test coverage detected