2 files changed, 20 insertions, 0 deletions

diff --git a/core/usermanager.lua b/core/usermanager.lua
index cf54fc31..4f15c302 100644
--- a/core/usermanager.lua
+++ b/core/usermanager.lua
@@ -164,6 +164,13 @@ local function set_user_role(user, host, role_name)
 	return role, err;
 end
 
+local function user_can_assume_role(user, host, role_name)
+	if host and not hosts[host] then return false; end
+	if type(user) ~= "string" then return false; end
+
+	return hosts[host].authz.user_can_assume_role(user, role_name);
+end
+
 local function add_user_secondary_role(user, host, role_name)
 	if host and not hosts[host] then return false; end
 	if type(user) ~= "string" then return false; end
@@ -260,6 +267,7 @@ return {
 	get_provider = get_provider;
 	get_user_role = get_user_role;
 	set_user_role = set_user_role;
+	user_can_assume_role = user_can_assume_role;
 	add_user_secondary_role = add_user_secondary_role;
 	remove_user_secondary_role = remove_user_secondary_role;
 	get_user_secondary_roles = get_user_secondary_roles;
diff --git a/plugins/mod_authz_internal.lua b/plugins/mod_authz_internal.lua
index af402d3e..4f88b176 100644
--- a/plugins/mod_authz_internal.lua
+++ b/plugins/mod_authz_internal.lua
@@ -181,6 +181,18 @@ function get_user_secondary_roles(user)
 	return stored_roles;
 end
 
+function user_can_assume_role(user, role_name)
+	local primary_role = get_user_role(user);
+	if primary_role and primary_role.role_name == role_name then
+		return true;
+	end
+	local secondary_roles = get_user_secondary_roles(user);
+	if secondary_roles and secondary_roles[role_name] then
+		return true;
+	end
+	return false;
+end
+
 -- This function is *expensive*
 function get_users_with_role(role_name)
 	local function role_filter(username, default_role) --luacheck: ignore 212/username