(ctx context.Context, policy *storepb.IamPolicy, user *store.UserMessage)
| 564 | } |
| 565 | |
| 566 | func (s *UserService) hasExtraWorkspaceAdmin(ctx context.Context, policy *storepb.IamPolicy, user *store.UserMessage) (bool, error) { |
| 567 | workspaceAdminRole := common.FormatRole(store.WorkspaceAdminRole) |
| 568 | userMember := common.FormatUserEmail(user.Email) |
| 569 | |
| 570 | for _, binding := range policy.GetBindings() { |
| 571 | if binding.GetRole() != workspaceAdminRole { |
| 572 | continue |
| 573 | } |
| 574 | for _, member := range binding.GetMembers() { |
| 575 | if member == userMember { |
| 576 | continue |
| 577 | } |
| 578 | if member == common.AllUsers && !s.profile.SaaS { |
| 579 | // allUsers means every user is an admin. Count all active end users |
| 580 | // (not just workspace members) since allUsers includes everyone. |
| 581 | count, err := s.store.CountActivePrincipals(ctx) |
| 582 | if err != nil { |
| 583 | return false, err |
| 584 | } |
| 585 | return count > 1, nil |
| 586 | } |
| 587 | users := utils.GetUsersByMember(ctx, s.store, common.GetWorkspaceIDFromContext(ctx), member) |
| 588 | for _, user := range users { |
| 589 | if !user.MemberDeleted && user.Type == storepb.PrincipalType_END_USER { |
| 590 | return true, nil |
| 591 | } |
| 592 | } |
| 593 | } |
| 594 | } |
| 595 | return false, nil |
| 596 | } |
| 597 | |
| 598 | // UndeleteUser undeletes a user. |
| 599 | func (s *UserService) UndeleteUser(ctx context.Context, request *connect.Request[v1pb.UndeleteUserRequest]) (*connect.Response[v1pb.User], error) { |
no test coverage detected