|
Currently, any time the updateUser or updateRole commands modify the roles that a user or role possesses, they require the permission to revoke any role in the system. This is because we are setting the current roles array to a new one and don't know what roles might be being removed by this update. We should instead fetch the definition of the user/role being updated so we know what that user's/role's current roles in the authorization check. Once we know the roles it had previously and the roles that it's roles array is being set to, we can do a set difference to determine which roles are being removed and then only require the revokeRole privilege on the databases for the roles that are actually being removed.
|