add validation checks

controllers/user.go

@@ -259,10 +259,12 @@ func createRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
-	if userRole.NetworkID == "" {
-		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "only network roles are allowed to be created"))
+	err = logic.ValidateCreateRoleReq(userRole)
+	if err != nil {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
+	userRole.Default = false
 	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
 	err = logic.CreateRole(userRole)
 	if err != nil {
@@ -292,6 +294,12 @@ func updateRole(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
+	err = logic.ValidateUpdateRoleReq(userRole)
+	if err != nil {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+		return
+	}
+	userRole.GlobalLevelAccess = make(map[models.RsrcType]map[models.RsrcID]models.RsrcPermissionScope)
 	err = logic.UpdateRole(userRole)
 	if err != nil {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))

logic/user_mgmt.go

@@ -3,6 +3,7 @@ package logic
 import (
 	"encoding/json"
 	"errors"
+	"fmt"
 
 	"github.com/gravitl/netmaker/database"
 	"github.com/gravitl/netmaker/models"
@@ -90,6 +91,32 @@ func ListRoles() ([]models.UserRolePermissionTemplate, error) {
 	return userRoles, nil
 }
 
+func ValidateCreateRoleReq(userRole models.UserRolePermissionTemplate) error {
+	// check if role exists with this id
+	_, err := GetRole(userRole.ID)
+	if err == nil {
+		return fmt.Errorf("role with id `%s` exists already", userRole.ID.String())
+	}
+	if userRole.NetworkID == "" {
+		return errors.New("only network roles are allowed to be created")
+	}
+	return nil
+}
+
+func ValidateUpdateRoleReq(userRole models.UserRolePermissionTemplate) error {
+	roleInDB, err := GetRole(userRole.ID)
+	if err != nil {
+		return err
+	}
+	if roleInDB.NetworkID != userRole.NetworkID {
+		return errors.New("network id mismatch")
+	}
+	if roleInDB.Default {
+		return errors.New("cannot update default role")
+	}
+	return nil
+}
+
 // CreateRole - inserts new role into DB
 func CreateRole(r models.UserRolePermissionTemplate) error {
 	// check if role already exists
@@ -151,6 +178,9 @@ func DeleteRole(rid models.UserRole) error {
 	if err != nil {
 		return err
 	}
+	if role.Default {
+		return errors.New("cannot delete default role")
+	}
 	for _, user := range users {
 		for userG := range user.UserGroups {
 			ug, err := GetUserGroup(userG)

models/user_mgmt.go

@@ -99,7 +99,7 @@ type User struct {
 	Password       string                              `json:"password" bson:"password" validate:"required,min=5"`
 	IsAdmin        bool                                `json:"isadmin" bson:"isadmin"`
 	IsSuperAdmin   bool                                `json:"issuperadmin"`
-	RemoteGwIDs    map[string]struct{}                 `json:"remote_gw_ids"`
+	RemoteGwIDs    map[string]struct{}                 `json:"remote_gw_ids"` // deprecated
 	UserGroups     map[UserGroupID]struct{}            `json:"user_group_ids"`
 	PlatformRoleID UserRole                            `json:"platform_role_id"`
 	NetworkRoles   map[NetworkID]map[UserRole]struct{} `json:"network_roles"`
@@ -111,7 +111,7 @@ type ReturnUser struct {
 	UserName       string                   `json:"username"`
 	IsAdmin        bool                     `json:"isadmin"`
 	IsSuperAdmin   bool                     `json:"issuperadmin"`
-	RemoteGwIDs    map[string]struct{}      `json:"remote_gw_ids"`
+	RemoteGwIDs    map[string]struct{}      `json:"remote_gw_ids"` // deprecated
 	UserGroups     map[UserGroupID]struct{} `json:"user_group_ids"`
 	PlatformRoleID string                   `json:"platform_role_id"`
 	NetworkRoles   map[NetworkID]UserRole   `json:"network_roles"`