func revokeControllerAccess(accessor *state.State, targetUserTag, apiUser names.UserTag, access permission.Access) error { controllerTag := accessor.ControllerTag() switch access { case permission.LoginAccess: // Revoking login access removes all access. err := accessor.RemoveUserAccess(targetUserTag, controllerTag) return errors.Annotate(err, "could not revoke controller access") case permission.AddModelAccess: // Revoking add-model access sets login. controllerUser, err := accessor.UserAccess(targetUserTag, controllerTag) if err != nil { return errors.Annotate(err, "could not look up controller access for user") } _, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, permission.LoginAccess) return errors.Annotate(err, "could not set controller access to read-only") case permission.SuperuserAccess: // Revoking superuser sets add-model. controllerUser, err := accessor.UserAccess(targetUserTag, controllerTag) if err != nil { return errors.Annotate(err, "could not look up controller access for user") } _, err = accessor.SetUserAccess(controllerUser.UserTag, controllerUser.Object, permission.AddModelAccess) return errors.Annotate(err, "could not set controller access to add-model") default: return errors.Errorf("don't know how to revoke %q access", access) } }