fix: code improvement by first checking for the user instead of the a…

…dmin role
akto-api-security · Dec 12, 2024 · 66e4576 · 66e4576
1 parent cacd86a
commit 66e4576
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/apps/dashboard/src/main/java/com/akto/action/testing/TestRolesAction.java b/apps/dashboard/src/main/java/com/akto/action/testing/TestRolesAction.java
@@ -145,10 +145,14 @@ public String deleteTestRole() {
             return ERROR.toUpperCase();
         }
 
-        RBAC.Role currentRoleForUser = RBACDao.getCurrentRoleForUser(user.getId(), Context.accountId.get());
-        if(!currentRoleForUser.equals(RBAC.Role.ADMIN) && !user.getLogin().equals(role.getCreatedBy())) {
-            addActionError("You do not have permission to delete this role.");
-            return ERROR.toUpperCase();
+        boolean noAccess = !user.getLogin().equals(role.getCreatedBy());
+
+        if(noAccess) {
+            RBAC.Role currentRoleForUser = RBACDao.getCurrentRoleForUser(user.getId(), Context.accountId.get());
+            if (!currentRoleForUser.equals(RBAC.Role.ADMIN)) {
+                addActionError("You do not have permission to delete this role.");
+                return ERROR.toUpperCase();
+            }
         }
 
         Bson roleFilterQ = Filters.eq(TestRoles.NAME, roleName);