From 05a475271a2c37ba6ced90b85e53015c47d573bc Mon Sep 17 00:00:00 2001
From: Apoorv Dixit <64925866+apoorvdixit88@users.noreply.github.com>
Date: Wed, 6 Mar 2024 13:00:12 +0530
Subject: [PATCH] fix(user): improve role validation to prevent duplicate
 groups (#3949)

---
 crates/common_enums/src/enums.rs     |  1 +
 crates/router/src/utils/user_role.rs | 11 ++++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/crates/common_enums/src/enums.rs b/crates/common_enums/src/enums.rs
index 169b3fab12..ae2fb28aae 100644
--- a/crates/common_enums/src/enums.rs
+++ b/crates/common_enums/src/enums.rs
@@ -2329,6 +2329,7 @@ pub enum RoleScope {
     Debug,
     Eq,
     PartialEq,
+    Hash,
     serde::Serialize,
     serde::Deserialize,
     strum::Display,
diff --git a/crates/router/src/utils/user_role.rs b/crates/router/src/utils/user_role.rs
index a0ac140058..8c2c293da9 100644
--- a/crates/router/src/utils/user_role.rs
+++ b/crates/router/src/utils/user_role.rs
@@ -1,3 +1,5 @@
+use std::collections::HashSet;
+
 use api_models::user_role as user_role_api;
 use common_enums::PermissionGroup;
 use diesel_models::user_role::UserRole;
@@ -51,11 +53,18 @@ pub fn validate_role_groups(groups: &[PermissionGroup]) -> UserResult<()> {
             .attach_printable("Role groups cannot be empty");
     }
 
-    if groups.contains(&PermissionGroup::OrganizationManage) {
+    let unique_groups: HashSet<_> = groups.iter().cloned().collect();
+
+    if unique_groups.contains(&PermissionGroup::OrganizationManage) {
         return Err(UserErrors::InvalidRoleOperation.into())
             .attach_printable("Organization manage group cannot be added to role");
     }
 
+    if unique_groups.len() != groups.len() {
+        return Err(UserErrors::InvalidRoleOperation.into())
+            .attach_printable("Duplicate permission group found");
+    }
+
     Ok(())
 }