validate role actions on resource for updates (#230)

Validate role actions on the resource not the role type when updating a
role.

Signed-off-by: Mike Mason <[email protected]>

Author: mikemrm

internal/query/relations.go

@@ -405,10 +405,6 @@ func (e *engine) UpdateRole(ctx context.Context, actor, roleResource types.Resou
 
 	defer span.End()
 
-	if err := e.validateResourceActions(roleResource, newActions...); err != nil {
-		return types.Role{}, err
-	}
-
 	dbCtx, err := e.store.BeginContext(ctx)
 	if err != nil {
 		return types.Role{}, err
@@ -433,6 +429,20 @@ func (e *engine) UpdateRole(ctx context.Context, actor, roleResource types.Resou
 		return types.Role{}, err
 	}
 
+	res, err := e.NewResourceFromID(role.ResourceID)
+	if err != nil {
+		logRollbackErr(e.logger, e.store.RollbackContext(dbCtx))
+
+		return types.Role{}, err
+	}
+
+	// Validate actions against role resource
+	if err := e.validateResourceActions(res, newActions...); err != nil {
+		logRollbackErr(e.logger, e.store.RollbackContext(dbCtx))
+
+		return types.Role{}, err
+	}
+
 	newName = strings.TrimSpace(newName)
 
 	if newName == "" {