add mismatch check

sherlock/internal/models/role_assignment.go

@@ -105,6 +105,8 @@ func (ra *RoleAssignment) errorIfForbidden(tx *gorm.DB) error {
 	}
 	if targetRole.CanBeGlassBrokenByRoleID == nil {
 		return fmt.Errorf("(%s) role %s (%d) cannot be glass-broken and the caller is not a super-admin who can make non-glass-break assignments", errors.Forbidden, *targetRole.Name, current.RoleID)
+	} else if ra.UserID != user.ID {
+		return fmt.Errorf("(%s) a caller may only make break-glass assignments for themselves", errors.Forbidden)
 	} else if targetRole.DefaultGlassBreakDuration == nil {
 		return fmt.Errorf("role %s (%d) is misconfigured: it declares that it can be glass-broken but defines no default duration", *targetRole.Name, current.RoleID)
 	} else {

sherlock/internal/models/role_assignment_test.go

@@ -152,6 +152,22 @@ func (s *modelSuite) TestRoleAssignmentBreakGlassForbiddenSuspended() {
 	s.ErrorContains(err, "the break-glass assignment is suspended (break-glass and suspensions don't mix)")
 }
 
+func (s *modelSuite) TestRoleAssignmentBreakGlassForbiddenMismatch() {
+	s.TestData.RoleAssignment_Suitable_TerraSuitableEngineer()
+	breakGlassRoleAssignment := RoleAssignment{
+		RoleID: s.TestData.Role_TerraGlassBrokenAdmin().ID,
+		UserID: s.TestData.User_NonSuitable().ID,
+		RoleAssignmentFields: RoleAssignmentFields{
+			Suspended: utils.PointerTo(false),
+			ExpiresAt: utils.PointerTo(time.Now().Add(time.Hour)),
+		},
+	}
+	s.SetSuitableTestUserForDB(true)
+	err := s.DB.Create(&breakGlassRoleAssignment).Error
+	s.ErrorContains(err, errors.Forbidden)
+	s.ErrorContains(err, "a caller may only make break-glass assignments for themselves")
+}
+
 func (s *modelSuite) TestRoleAssignmentBreakGlassAllowed() {
 	s.TestData.RoleAssignment_Suitable_TerraSuitableEngineer()
 	breakGlassRoleAssignment := RoleAssignment{