feat(3344): Add checks for role permissions#26
Conversation
| return true | ||
| } | ||
| const role = select.role(previousState, roleName) | ||
| if (role.createdBy === assigningUserId) { |
There was a problem hiding this comment.
This prevents us from ever revoking the permissions of a user who creates a role
There was a problem hiding this comment.
This shouldn't have any effect on revocations since this is only run on ADD_MEMBER_ROLE.
| } | ||
|
|
||
| public memberCanDeleteRole(roleName: string, memberId: string): boolean { | ||
| return this.memberCanPerformAction(memberId, 'REMOVE_ROLE') |
There was a problem hiding this comment.
This is missing the assert(roleName !== ADMIN, 'Cannot remove admin role') like in removeRole that prevents the admin role from being deleted
| } | ||
|
|
||
| /** Check if member has permissions to create roles */ | ||
| public memberCanPerformAction(memberId: string, actionType: TeamAction['type']): boolean { |
There was a problem hiding this comment.
I don't think this accurately tests whether an action can be performed because it doesn't take into account payloads (i.e. calling REMOVE_DEVICE for someone else's device.
There was a problem hiding this comment.
Ahh yea this should be private and maybe renamed. For specific actions we'll need to add more logic to their checks, this is only meant to capture if the member is priveleged enough to run an action.
No description provided.