MCPcopy Index your code
hub / github.com/rilldata/rill / getResourceRestrictionsForUser

Method getResourceRestrictionsForUser

admin/server/deployment.go:908–940  ·  view source on GitHub ↗

getResourceRestrictionsForUser returns resource restrictions for a given user and project.

(ctx context.Context, projID, userID string)

Source from the content-addressed store, hash-verified

906
907// getResourceRestrictionsForUser returns resource restrictions for a given user and project.
908func (s *Server) getResourceRestrictionsForUser(ctx context.Context, projID, userID string) (bool, []database.ResourceName, error) {
909 mu, err := s.admin.DB.FindProjectMemberUser(ctx, projID, userID)
910 if err != nil && !errors.Is(err, database.ErrNotFound) {
911 return false, nil, err
912 }
913 mug, err := s.admin.DB.FindProjectMemberUsergroupsForUser(ctx, projID, userID)
914 if err != nil {
915 return false, nil, err
916 }
917 restrictResources := mu != nil || len(mug) > 0
918 var resources []database.ResourceName
919 if mu != nil {
920 restrictResources = restrictResources && mu.RestrictResources
921 resources = append(resources, mu.Resources...)
922 }
923 if len(mug) > 0 {
924 for _, g := range mug {
925 restrictResources = restrictResources && g.RestrictResources
926 resources = append(resources, g.Resources...)
927 }
928 }
929
930 var mergedResources []database.ResourceName
931 seen := make(map[database.ResourceName]struct{})
932 for _, r := range resources {
933 if _, ok := seen[r]; !ok {
934 seen[r] = struct{}{}
935 mergedResources = append(mergedResources, r)
936 }
937 }
938
939 return restrictResources, mergedResources, nil
940}
941
942// subjectForExternalUser generates a safe subject from an external user ID accessing a deployment in the specified project.
943// The result is safe to use as a JWT subject and in telemetry (where we need to avoid collisions and PII).

Tested by

no test coverage detected