From f8c0ecb909dcbe5b688a988d696db76e7c85c92c Mon Sep 17 00:00:00 2001
From: Miguel Martinez <miguel@chainloop.dev>
Date: Tue, 15 Jul 2025 17:38:13 +0200
Subject: [PATCH] Revert "chore: org viewers cannot become project admins
 (#2251)"

This reverts commit df71cee4270b4c5c8b1824fcfd4c803a9b392a07.

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
---
 app/controlplane/internal/service/service.go    |  1 -
 app/controlplane/pkg/biz/membership.go          | 17 +----------------
 app/controlplane/pkg/biz/project.go             |  5 -----
 .../pkg/biz/project_integration_test.go         | 14 +++++++-------
 4 files changed, 8 insertions(+), 29 deletions(-)

diff --git a/app/controlplane/internal/service/service.go b/app/controlplane/internal/service/service.go
index 4c0000249..9329dd224 100644
--- a/app/controlplane/internal/service/service.go
+++ b/app/controlplane/internal/service/service.go
@@ -192,7 +192,6 @@ func (s *service) authorizeResource(ctx context.Context, op *authz.Policy, resou
 	// find the resource membership that matches the resource type and ID
 	// for example admin in project1, then apply RBAC enforcement
 	m := entities.CurrentMembership(ctx)
-
 	var matchingResources []*entities.ResourceMembership
 	// First, collect all memberships that match the requested resource type and ID
 	for _, rm := range m.Resources {
diff --git a/app/controlplane/pkg/biz/membership.go b/app/controlplane/pkg/biz/membership.go
index 1e6f0208f..539a2103c 100644
--- a/app/controlplane/pkg/biz/membership.go
+++ b/app/controlplane/pkg/biz/membership.go
@@ -340,22 +340,7 @@ func (uc *MembershipUseCase) ListAllMembershipsForUser(ctx context.Context, user
 		return nil, fmt.Errorf("failed to list group memberships for user: %w", err)
 	}
 
-	// remove incompatible/illegal combinations (org viewer and project admin)
-	combined := make([]*Membership, 0)
-	combined = append(combined, userMemberships...)
-	for _, um := range userMemberships {
-		if um.ResourceType == authz.ResourceTypeOrganization && um.Role == authz.RoleViewer {
-			for _, gm := range groupMemberships {
-				// if user is org viewer and project admin through a group, skip it.
-				if gm.Role == authz.RoleProjectAdmin {
-					continue
-				}
-				combined = append(combined, gm)
-			}
-		}
-	}
-
-	return combined, nil
+	return append(userMemberships, groupMemberships...), nil
 }
 
 // SetProjectOwner sets the project owner (admin role). It skips the operation if an owner exists already
diff --git a/app/controlplane/pkg/biz/project.go b/app/controlplane/pkg/biz/project.go
index a1aa48248..d4b86b231 100644
--- a/app/controlplane/pkg/biz/project.go
+++ b/app/controlplane/pkg/biz/project.go
@@ -323,11 +323,6 @@ func (uc *ProjectUseCase) addUserToProject(ctx context.Context, orgID uuid.UUID,
 		return uc.handleNonExistingUser(ctx, orgID, projectID, opts)
 	}
 
-	// Org viewers cannot be added as project admin, since they cannot perform updates on resources
-	if opts.Role == authz.RoleProjectAdmin && userMembership.Role == authz.RoleViewer {
-		return nil, NewErrValidationStr("users with org role Org Viewer cannot be Project Admins")
-	}
-
 	userUUID := uuid.MustParse(userMembership.User.ID)
 
 	// Check if the user is already a member of the project
diff --git a/app/controlplane/pkg/biz/project_integration_test.go b/app/controlplane/pkg/biz/project_integration_test.go
index 146405f05..a48858ff3 100644
--- a/app/controlplane/pkg/biz/project_integration_test.go
+++ b/app/controlplane/pkg/biz/project_integration_test.go
@@ -91,7 +91,7 @@ func (s *projectMembersIntegrationTestSuite) TestListMembers() {
 	// Add users to organization
 	_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
 	require.NoError(s.T(), err)
-	_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
+	_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
 	require.NoError(s.T(), err)
 
 	// Add users to the project
@@ -201,7 +201,7 @@ func (s *projectMembersIntegrationTestSuite) TestAddMemberToProject() {
 	// Add users to organization
 	_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
 	require.NoError(s.T(), err)
-	_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
+	_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
 	require.NoError(s.T(), err)
 
 	projectID := s.project.ID
@@ -421,7 +421,7 @@ func (s *projectMembersIntegrationTestSuite) TestRemoveMemberFromProject() {
 	// Add users to organization
 	_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
 	require.NoError(s.T(), err)
-	_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
+	_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
 	require.NoError(s.T(), err)
 	_, err = s.Membership.Create(ctx, s.org.ID, user4.ID)
 	require.NoError(s.T(), err)
@@ -649,7 +649,7 @@ func (s *projectAdminPermissionsTestSuite) TestAdminPermissions() {
 	require.NoError(s.T(), err)
 
 	// Add the user to the organization
-	_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithCurrentMembership(), biz.WithMembershipRole(authz.RoleOrgMember))
+	_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithCurrentMembership())
 	require.NoError(s.T(), err)
 
 	// Grant project admin role to the user
@@ -770,7 +770,7 @@ func (s *projectPermissionsTestSuite) SetupTest() {
 	assert.NoError(err)
 
 	// Add project admin user to organization as a regular member
-	_, err = s.Membership.Create(ctx, s.org.ID, s.projectAdminUser.ID, biz.WithCurrentMembership(), biz.WithMembershipRole(authz.RoleOrgMember))
+	_, err = s.Membership.Create(ctx, s.org.ID, s.projectAdminUser.ID, biz.WithCurrentMembership())
 	assert.NoError(err)
 
 	// Create a regular user
@@ -778,7 +778,7 @@ func (s *projectPermissionsTestSuite) SetupTest() {
 	assert.NoError(err)
 
 	// Add regular user to organization as a regular member
-	_, err = s.Membership.Create(ctx, s.org.ID, s.regularUser.ID, biz.WithMembershipRole(authz.RoleOrgMember))
+	_, err = s.Membership.Create(ctx, s.org.ID, s.regularUser.ID)
 	assert.NoError(err)
 
 	// Create a project for tests
@@ -1340,7 +1340,7 @@ func (s *projectMembersIntegrationTestSuite) TestUpdateUserRoleInProject() {
 	// Add users to organization
 	_, err = s.Membership.Create(ctx, s.org.ID, user1.ID)
 	require.NoError(s.T(), err)
-	_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithMembershipRole(authz.RoleOrgMember))
+	_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
 	require.NoError(s.T(), err)
 
 	projectID := s.project.ID