canAssignRole checks whether the calling user is allowed to assign the target role.
(r *http.Request, callerRole, targetRole string)
| 60 | |
| 61 | // canAssignRole checks whether the calling user is allowed to assign the target role. |
| 62 | func (h *UsersHandler) canAssignRole(r *http.Request, callerRole, targetRole string) bool { |
| 63 | // admin and superadmin bypass permission checks in middleware, |
| 64 | // but we still enforce hierarchy here. |
| 65 | if targetRole == "superadmin" { |
| 66 | // Only superadmin can assign superadmin. |
| 67 | if callerRole == "superadmin" { |
| 68 | return true |
| 69 | } |
| 70 | // Non-superadmin must have can_manage_superusers. |
| 71 | if callerRole == "admin" { |
| 72 | // admins don't have can_manage_superusers by default |
| 73 | return false |
| 74 | } |
| 75 | perm, err := h.permissions.GetByRole(r.Context(), callerRole) |
| 76 | if err != nil || perm == nil { |
| 77 | return false |
| 78 | } |
| 79 | return perm.CanManageSuperusers |
| 80 | } |
| 81 | if targetRole == "admin" { |
| 82 | // Only superadmin can assign admin. |
| 83 | return callerRole == "superadmin" |
| 84 | } |
| 85 | // For other roles, caller must be at least as privileged. |
| 86 | return roleRank(callerRole) >= roleRank(targetRole) |
| 87 | } |
| 88 | |
| 89 | // List returns paginated users. |
| 90 | func (h *UsersHandler) List(w http.ResponseWriter, r *http.Request) { |