refactor: add memberRelation policy

Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor: add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor: add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor:Add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor:Add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor:Add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor:Add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor:Add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor:Add memberRelation policy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor: Revert changes in grpcServer struct Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor: Revert changes in grpcServer struct Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor: Fix authorization error in updateClientPolicy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor: Fix authorization error in updateClientPolicy Signed-off-by: JeffMboya <jangina.mboya@gmail.com> refactor: Fix authorization error in updateClientPolicy Signed-off-by: JeffMboya <jangina.mboya@gmail.com>
absmach · May 21, 2024 · d519516 · d519516
1 parent e9172f7
commit d519516
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/users/service.go b/users/service.go
@@ -694,6 +694,19 @@ func (svc service) addClientPolicyRollback(ctx context.Context, userID string, r
 }
 
 func (svc service) updateClientPolicy(ctx context.Context, userID string, role mgclients.Role) error {
+	res, err := svc.auth.Authorize(ctx, &magistrala.AuthorizeReq{
+		SubjectType: auth.UserType,
+		Subject:     userID,
+		Permission:  auth.MembershipPermission,
+		ObjectType:  auth.PlatformType,
+		Object:      auth.MagistralaObject,
+	})
+	if err != nil {
+		return err
+	}
+	if !res.Authorized {
+		return svcerr.ErrAuthorization
+	}
 	switch role {
 	case mgclients.AdminRole:
 		resp, err := svc.auth.AddPolicy(ctx, &magistrala.AddPolicyReq{

diff --git a/users/service_test.go b/users/service_test.go
@@ -1060,6 +1060,7 @@ func TestUpdateClientRole(t *testing.T) {
 		},
 		{
 			desc:                 "update client role to user role with failed to delete policy",
+			client:               client2,
 			identifyResponse:     &magistrala.IdentityRes{UserId: client.ID},
 			authorizeResponse:    &magistrala.AuthorizeRes{Authorized: true},
 			deletePolicyResponse: &magistrala.DeletePolicyRes{Deleted: false},
@@ -1069,6 +1070,7 @@ func TestUpdateClientRole(t *testing.T) {
 		},
 		{
 			desc:                 "update client role to user role with failed to delete policy with error",
+			client:               client2,
 			identifyResponse:     &magistrala.IdentityRes{UserId: client.ID},
 			authorizeResponse:    &magistrala.AuthorizeRes{Authorized: true},
 			deletePolicyResponse: &magistrala.DeletePolicyRes{Deleted: false},
@@ -1101,6 +1103,14 @@ func TestUpdateClientRole(t *testing.T) {
 			updateRoleErr:        svcerr.ErrAuthentication,
 			err:                  svcerr.ErrAuthentication,
 		},
+		{
+			desc:             "Update client role for non-existent user",
+			client:           mgclients.Client{},
+			identifyResponse: &magistrala.IdentityRes{},
+			identifyErr:      svcerr.ErrNotFound,
+			token:            validToken,
+			err:              svcerr.ErrNotFound,
+		},
 	}
 
 	for _, tc := range cases {