ProjectPermissionsForUser resolves project permissions for a user.
(ctx context.Context, projectID, userID string, orgPerms *adminv1.OrganizationPermissions)
| 100 | |
| 101 | // ProjectPermissionsForUser resolves project permissions for a user. |
| 102 | func (s *Service) ProjectPermissionsForUser(ctx context.Context, projectID, userID string, orgPerms *adminv1.OrganizationPermissions) (*adminv1.ProjectPermissions, error) { |
| 103 | // ManageProjects permission on the org gives full access to all projects in the org (only org admins have this) |
| 104 | if orgPerms.ManageProjects { |
| 105 | return &adminv1.ProjectPermissions{ |
| 106 | Admin: true, |
| 107 | ReadProject: true, |
| 108 | ManageProject: true, |
| 109 | ReadProd: true, |
| 110 | ReadProdStatus: true, |
| 111 | ManageProd: true, |
| 112 | ReadDev: true, |
| 113 | ReadDevStatus: true, |
| 114 | ManageDev: true, |
| 115 | ReadProvisionerResources: true, |
| 116 | ManageProvisionerResources: true, |
| 117 | ReadProjectMembers: true, |
| 118 | ManageProjectMembers: true, |
| 119 | ManageProjectAdmins: true, |
| 120 | CreateMagicAuthTokens: true, |
| 121 | ManageMagicAuthTokens: true, |
| 122 | CreateReports: true, |
| 123 | ManageReports: true, |
| 124 | CreateAlerts: true, |
| 125 | ManageAlerts: true, |
| 126 | CreateBookmarks: true, |
| 127 | ManageBookmarks: true, |
| 128 | }, nil |
| 129 | } |
| 130 | |
| 131 | roles, err := s.DB.ResolveProjectRolesForUser(ctx, userID, projectID) |
| 132 | if err != nil { |
| 133 | return nil, err |
| 134 | } |
| 135 | |
| 136 | composite := &adminv1.ProjectPermissions{} |
| 137 | if len(roles) == 0 { |
| 138 | return composite, nil |
| 139 | } |
| 140 | |
| 141 | for _, role := range roles { |
| 142 | composite = UnionProjectRoles(composite, role) |
| 143 | } |
| 144 | |
| 145 | return composite, nil |
| 146 | } |
| 147 | |
| 148 | // ProjectPermissionsForService resolves project permissions for a service. |
| 149 | // If the service has roles, it uses those roles to determine permissions. If no roles are found, then it falls back to just giving read permissions to project if the service is in the org. |
no test coverage detected