Update comment

Emyrk · Emyrk · commit cd2fda70566d · 2022-05-13T13:26:40.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -240,7 +240,7 @@ func New(options *Options) (http.Handler, func()) {
 				)
 				r.Group(func(r chi.Router) {
 					// Site wide, all users
-					r.Use(httpmw.WithRBACObject(rbac.ResourceUser.All()))
+					r.Use(httpmw.WithRBACObject(rbac.ResourceUser))
 					r.Post("/", authorize(api.postUser, rbac.ActionCreate))
 					r.Get("/", authorize(api.users, rbac.ActionRead))
 				})
diff --git a/coderd/users.go b/coderd/users.go
@@ -399,7 +399,9 @@ func (api *api) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	for _, roleName := range params.Roles {
-		// If the user already has the role, we don't need to check the permission.
+		// If the user already has the role assigned, we don't need to check the permission
+		// to reassign it. Only run permission checks on the difference in the set of
+		// roles.
 		if _, ok := has[roleName]; ok {
 			delete(has, roleName)
 			continue

Original file line number	Diff line number	Diff line change
`@@ -240,7 +240,7 @@ func New(options *Options) (http.Handler, func()) {`
`240`	`240`	`)`
`241`	`241`	`r.Group(func(r chi.Router) {`
`242`	`242`	`// Site wide, all users`
`243`		`- r.Use(httpmw.WithRBACObject(rbac.ResourceUser.All()))`
	`243`	`+ r.Use(httpmw.WithRBACObject(rbac.ResourceUser))`
`244`	`244`	`r.Post("/", authorize(api.postUser, rbac.ActionCreate))`
`245`	`245`	`r.Get("/", authorize(api.users, rbac.ActionRead))`
`246`	`246`	`})`