// maybeUseGroupPermission returns a permission.UserAccess updated // with the group permissions that apply to it if higher than // current. // If the passed UserAccess is empty (controller user lacks permissions) // but the group is not, a stand-in will be created to hold the group // permissions. func maybeUseGroupPermission( userGetter userAccessFunc, externalUser permission.UserAccess, controllerTag names.ControllerTag, userTag names.UserTag, ) (permission.UserAccess, error) { everyoneTag := names.NewUserTag(EveryoneTagName) everyone, err := userGetter(everyoneTag, controllerTag) if errors.IsNotFound(err) { return externalUser, nil } if err != nil { return permission.UserAccess{}, errors.Trace(err) } if permission.IsEmptyUserAccess(externalUser) && !permission.IsEmptyUserAccess(everyone) { externalUser = newControllerUserFromGroup(everyone, userTag) } if everyone.Access.EqualOrGreaterControllerAccessThan(externalUser.Access) { externalUser.Access = everyone.Access } return externalUser, nil }