From 6419363220a48e1e2e02a14207ce969fed7291cc Mon Sep 17 00:00:00 2001
From: Denis Arh <denis.arh@gmail.com>
Date: Mon, 2 Aug 2021 15:18:23 +0200
Subject: [PATCH] Fix system role membership management

---
 system/service/role.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/system/service/role.go b/system/service/role.go
index d9ec1fdc0..aa279d460 100644
--- a/system/service/role.go
+++ b/system/service/role.go
@@ -353,12 +353,19 @@ func (svc role) Update(ctx context.Context, upd *types.Role) (r *types.Role, err
 			return
 		}
 
+		raProps.setRole(r)
+
 		if svc.IsSystem(r) {
+			// prevent system role updates
+			// we need this here because of the clumsy way
+			// how rest endpoint handler is implemented ATM
+			if r.Handle == upd.Handle && r.Name == upd.Name {
+				// no change.
+				return nil
+			}
 			return RoleErrNotAllowedToUpdate()
 		}
 
-		raProps.setRole(r)
-
 		if err = svc.eventbus.WaitFor(ctx, event.RoleBeforeUpdate(upd, r)); err != nil {
 			return
 		}