Skip to content

chore(rbac): Revert Prevent user with org viewer role to become group maintainers #2272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 18, 2025
+10 −29
Merged

chore(rbac): Revert Prevent user with org viewer role to become group maintainers #2272

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 0 additions & 19 deletions app/controlplane/pkg/biz/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,11 +579,6 @@ func (uc *GroupUseCase) addExistingUserToGroup(ctx context.Context, orgID, group
return nil, NewErrAlreadyExistsStr("user is already a member of this group")
}

// If trying to make the user a maintainer, verify they don't have the org viewer role
if opts.Maintainer && userMembership.Role == authz.RoleViewer {
return nil, NewErrValidationStr("users with organization viewer role cannot be group maintainers")
}

// Add the user to the group
membership, err := uc.groupRepo.AddMemberToGroup(ctx, orgID, groupID, userUUID, opts.Maintainer)
if err != nil {
Expand Down Expand Up @@ -813,20 +808,6 @@ func (uc *GroupUseCase) UpdateMemberMaintainerStatus(ctx context.Context, orgID
return NewErrValidationStr("user is not a member of this group")
}

// If trying to make the user a maintainer, verify they don't have the org viewer role
if opts.IsMaintainer {
// Check the user's org role
userOrgMembership, err := uc.membershipRepo.FindByOrgAndUser(ctx, orgID, userUUID)
if err != nil {
return fmt.Errorf("failed to check user's organization role: %w", err)
}

// Prevent org viewers from becoming maintainers
if userOrgMembership.Role == authz.RoleViewer {
return NewErrValidationStr("users with organization viewer role cannot be group maintainers")
}
}

// Update the member's maintainer status
if err := uc.groupRepo.UpdateMemberMaintainerStatus(ctx, orgID, resolvedGroupID, userUUID, opts.IsMaintainer); err != nil {
return fmt.Errorf("failed to update member maintainer status: %w", err)
Expand Down
20 changes: 10 additions & 10 deletions app/controlplane/pkg/biz/group_integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -705,7 +705,7 @@ func (s *groupMembersIntegrationTestSuite) TestAddMemberToGroup() {
// Add users to organization
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
require.NoError(s.T(), err)
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
require.NoError(s.T(), err)

s.Run("add member using group ID", func() {
Expand Down Expand Up @@ -945,11 +945,11 @@ func (s *groupMembersIntegrationTestSuite) TestRemoveMemberFromGroup() {
require.NoError(s.T(), err)

// Add users to organization
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
require.NoError(s.T(), err)
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
require.NoError(s.T(), err)
_, err = s.Membership.Create(ctx, s.org.ID, user4.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user4.ID)
require.NoError(s.T(), err)

// Add users to the group
Expand Down Expand Up @@ -1175,9 +1175,9 @@ func (s *groupMembersIntegrationTestSuite) TestGroupMemberCount() {
require.NoError(s.T(), err)

// Add users to organization
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
require.NoError(s.T(), err)
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
require.NoError(s.T(), err)

// Check initial member count
Expand Down Expand Up @@ -1278,9 +1278,9 @@ func (s *groupMembersIntegrationTestSuite) TestUpdateMemberMaintainerStatus() {
require.NoError(s.T(), err)

// Add users to organization
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
require.NoError(s.T(), err)
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
require.NoError(s.T(), err)

// Add users to the group (user2 as a regular member, user3 as a maintainer)
Expand Down Expand Up @@ -1705,7 +1705,7 @@ func (s *groupMembersIntegrationTestSuite) TestAddMemberToGroupSystemCall() {
require.NoError(s.T(), err)

// Add user to organization
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID)
require.NoError(s.T(), err)

// Add the user to the group without a requester ID (system call)
Expand Down Expand Up @@ -1753,7 +1753,7 @@ func (s *groupMembersIntegrationTestSuite) TestUpdateMemberMaintainerStatusSyste
require.NoError(s.T(), err)

// Add user to organization
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID, biz.WithMembershipRole(authz.RoleOrgMember))
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID)
require.NoError(s.T(), err)

// First add the user to the group (with requester ID for this setup step)
Expand Down
Loading