Get a user and verify they belong to the token's organization (single JOIN).
(user_id: int, org_id: int, db_session: AsyncSession)
| 88 | |
| 89 | |
| 90 | async def _get_user_in_org(user_id: int, org_id: int, db_session: AsyncSession) -> User: |
| 91 | """Get a user and verify they belong to the token's organization (single JOIN).""" |
| 92 | result = (await db_session.execute( |
| 93 | select(User) |
| 94 | .join( |
| 95 | UserOrganization, |
| 96 | (UserOrganization.user_id == User.id) & (UserOrganization.org_id == org_id), |
| 97 | ) |
| 98 | .where(User.id == user_id) |
| 99 | )).scalar_one_or_none() |
| 100 | |
| 101 | if result is None: |
| 102 | # Distinguish "user not found" from "not a member" for a better error |
| 103 | exists = (await db_session.execute(select(User.id).where(User.id == user_id))).scalar_one_or_none() |
| 104 | if not exists: |
| 105 | raise HTTPException(status_code=404, detail="User not found") |
| 106 | raise HTTPException( |
| 107 | status_code=status.HTTP_403_FORBIDDEN, |
| 108 | detail="User does not belong to this organization", |
| 109 | ) |
| 110 | return result |
| 111 | |
| 112 | |
| 113 | _ROLE_PRIORITY = { |