Handle private role ids for setting user roles

jdavcs · Sep 2, 2024 · 181e551 · 181e551
1 parent aff27a0
commit 181e551
Showing 1 changed file with 15 additions and 2 deletions.
diff --git a/lib/galaxy/model/security.py b/lib/galaxy/model/security.py
@@ -1518,8 +1518,21 @@ def _set_user_roles(self, user, role_ids):
             delete_stmt = delete_stmt.where(UserRoleAssociation.role_id != private_role.id)
         except AttributeError:
             log.warning("User %s does not have a private role assigned", user)
-        insert_values = [{"user_id": user.id, "role_id": role_id} for role_id in role_ids]
-        self._set_associations(user, UserRoleAssociation, delete_stmt, insert_values)
+        role_ids = self._filter_private_roles(role_ids)
+        if role_ids:
+            insert_values = [{"user_id": user.id, "role_id": role_id} for role_id in role_ids]
+            self._set_associations(user, UserRoleAssociation, delete_stmt, insert_values)
+
+    def _filter_private_roles(self, role_ids):
+        """Filter out IDs of private roles"""
+        # TODO role_ids (payload from the UI) include user's private role; that shoudl not be the case.
+        filtered = []
+        for role_id in role_ids:
+            stmt = select(Role.id).where(Role.id == role_id).where(Role.type == Role.types.PRIVATE)
+            is_private = bool(self.sa_session.scalars(stmt).all())
+            if not is_private:
+                filtered.append(role_id)
+        return filtered
 
     def _set_group_users(self, group, user_ids):
         delete_stmt = delete(UserGroupAssociation).where(UserGroupAssociation.group_id == group.id)