From 3b579d39bcd5a6e60ce74bcbccf66fbf9e8e5771 Mon Sep 17 00:00:00 2001
From: Mike Mason <mimason@equinix.com>
Date: Mon, 18 Mar 2024 09:17:10 -0500
Subject: [PATCH] validate role actions on resource for updates (#230)

Validate role actions on the resource not the role type when updating a
role.

Signed-off-by: Mike Mason <mimason@equinix.com>
---
 internal/query/relations.go | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/internal/query/relations.go b/internal/query/relations.go
index 452b5590..0ea039f0 100644
--- a/internal/query/relations.go
+++ b/internal/query/relations.go
@@ -405,10 +405,6 @@ func (e *engine) UpdateRole(ctx context.Context, actor, roleResource types.Resou
 
 	defer span.End()
 
-	if err := e.validateResourceActions(roleResource, newActions...); err != nil {
-		return types.Role{}, err
-	}
-
 	dbCtx, err := e.store.BeginContext(ctx)
 	if err != nil {
 		return types.Role{}, err
@@ -433,6 +429,20 @@ func (e *engine) UpdateRole(ctx context.Context, actor, roleResource types.Resou
 		return types.Role{}, err
 	}
 
+	res, err := e.NewResourceFromID(role.ResourceID)
+	if err != nil {
+		logRollbackErr(e.logger, e.store.RollbackContext(dbCtx))
+
+		return types.Role{}, err
+	}
+
+	// Validate actions against role resource
+	if err := e.validateResourceActions(res, newActions...); err != nil {
+		logRollbackErr(e.logger, e.store.RollbackContext(dbCtx))
+
+		return types.Role{}, err
+	}
+
 	newName = strings.TrimSpace(newName)
 
 	if newName == "" {