getResourceRestrictionsForUser returns resource restrictions for a given user and project.
(ctx context.Context, projID, userID string)
| 906 | |
| 907 | // getResourceRestrictionsForUser returns resource restrictions for a given user and project. |
| 908 | func (s *Server) getResourceRestrictionsForUser(ctx context.Context, projID, userID string) (bool, []database.ResourceName, error) { |
| 909 | mu, err := s.admin.DB.FindProjectMemberUser(ctx, projID, userID) |
| 910 | if err != nil && !errors.Is(err, database.ErrNotFound) { |
| 911 | return false, nil, err |
| 912 | } |
| 913 | mug, err := s.admin.DB.FindProjectMemberUsergroupsForUser(ctx, projID, userID) |
| 914 | if err != nil { |
| 915 | return false, nil, err |
| 916 | } |
| 917 | restrictResources := mu != nil || len(mug) > 0 |
| 918 | var resources []database.ResourceName |
| 919 | if mu != nil { |
| 920 | restrictResources = restrictResources && mu.RestrictResources |
| 921 | resources = append(resources, mu.Resources...) |
| 922 | } |
| 923 | if len(mug) > 0 { |
| 924 | for _, g := range mug { |
| 925 | restrictResources = restrictResources && g.RestrictResources |
| 926 | resources = append(resources, g.Resources...) |
| 927 | } |
| 928 | } |
| 929 | |
| 930 | var mergedResources []database.ResourceName |
| 931 | seen := make(map[database.ResourceName]struct{}) |
| 932 | for _, r := range resources { |
| 933 | if _, ok := seen[r]; !ok { |
| 934 | seen[r] = struct{}{} |
| 935 | mergedResources = append(mergedResources, r) |
| 936 | } |
| 937 | } |
| 938 | |
| 939 | return restrictResources, mergedResources, nil |
| 940 | } |
| 941 | |
| 942 | // subjectForExternalUser generates a safe subject from an external user ID accessing a deployment in the specified project. |
| 943 | // The result is safe to use as a JWT subject and in telemetry (where we need to avoid collisions and PII). |
no test coverage detected