(ctx context.Context, req *adminv1.ApproveProjectAccessRequest)
| 1648 | } |
| 1649 | |
| 1650 | func (s *Server) ApproveProjectAccess(ctx context.Context, req *adminv1.ApproveProjectAccessRequest) (*adminv1.ApproveProjectAccessResponse, error) { |
| 1651 | observability.AddRequestAttributes(ctx, |
| 1652 | attribute.String("args.id", req.Id), |
| 1653 | ) |
| 1654 | |
| 1655 | accessReq, err := s.admin.DB.FindProjectAccessRequestByID(ctx, req.Id) |
| 1656 | if err != nil { |
| 1657 | return nil, err |
| 1658 | } |
| 1659 | |
| 1660 | proj, err := s.admin.DB.FindProject(ctx, accessReq.ProjectID) |
| 1661 | if err != nil { |
| 1662 | return nil, err |
| 1663 | } |
| 1664 | |
| 1665 | claims := auth.GetClaims(ctx) |
| 1666 | if !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectMembers { |
| 1667 | return nil, status.Error(codes.PermissionDenied, "not allowed to set project member roles") |
| 1668 | } |
| 1669 | |
| 1670 | user, err := s.admin.DB.FindUser(ctx, accessReq.UserID) |
| 1671 | if err != nil { |
| 1672 | return nil, err |
| 1673 | } |
| 1674 | |
| 1675 | org, err := s.admin.DB.FindOrganization(ctx, proj.OrganizationID) |
| 1676 | if err != nil { |
| 1677 | return nil, err |
| 1678 | } |
| 1679 | |
| 1680 | role, err := s.admin.DB.FindProjectRole(ctx, req.Role) |
| 1681 | if err != nil { |
| 1682 | return nil, err |
| 1683 | } |
| 1684 | if role.Admin && !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectAdmins { |
| 1685 | return nil, status.Error(codes.PermissionDenied, "as a non-admin you are not allowed to assign an admin role") |
| 1686 | } |
| 1687 | |
| 1688 | ok, err := s.admin.DB.CheckUserIsAProjectMember(ctx, user.ID, proj.ID) |
| 1689 | if err != nil { |
| 1690 | return nil, err |
| 1691 | } |
| 1692 | |
| 1693 | if ok { |
| 1694 | // User is already a project member, update the role, keep existing resource restrictions. |
| 1695 | member, err := s.admin.DB.FindProjectMemberUser(ctx, proj.ID, user.ID) |
| 1696 | if err != nil { |
| 1697 | return nil, err |
| 1698 | } |
| 1699 | |
| 1700 | err = s.admin.DB.UpdateProjectMemberUserRole(ctx, proj.ID, user.ID, role.ID, member.RestrictResources, member.Resources) |
| 1701 | if err != nil { |
| 1702 | return nil, err |
| 1703 | } |
| 1704 | } else { |
| 1705 | // Add the user as a project member. |
| 1706 | err = s.admin.InsertProjectMemberUser(ctx, proj.OrganizationID, proj.ID, user.ID, role.ID, nil, false, nil) |
| 1707 | if err != nil { |
nothing calls this directly
no test coverage detected