MCPcopy Index your code
hub / github.com/rilldata/rill / SetProjectMemberUserRole

Method SetProjectMemberUserRole

admin/server/projects.go:1375–1492  ·  view source on GitHub ↗
(ctx context.Context, req *adminv1.SetProjectMemberUserRoleRequest)

Source from the content-addressed store, hash-verified

1373}
1374
1375func (s *Server) SetProjectMemberUserRole(ctx context.Context, req *adminv1.SetProjectMemberUserRoleRequest) (*adminv1.SetProjectMemberUserRoleResponse, error) {
1376 observability.AddRequestAttributes(ctx,
1377 attribute.String("args.org", req.Org),
1378 attribute.String("args.email", req.Email),
1379 attribute.String("args.project", req.Project),
1380 )
1381 if req.Role != nil {
1382 observability.AddRequestAttributes(ctx, attribute.String("args.role", *req.Role))
1383 }
1384 if req.RestrictResources != nil {
1385 observability.AddRequestAttributes(ctx, attribute.Bool("args.restrict_resources", *req.RestrictResources))
1386 }
1387 if len(req.Resources) > 0 {
1388 observability.AddRequestAttributes(ctx, attribute.StringSlice("args.resources", resourcesString(req.Resources)))
1389 }
1390
1391 if req.Role == nil && req.RestrictResources == nil && len(req.Resources) == 0 {
1392 return nil, status.Error(codes.InvalidArgument, "at least one of role, restrict_resources, or resources must be set")
1393 }
1394
1395 proj, err := s.admin.DB.FindProjectByName(ctx, req.Org, req.Project)
1396 if err != nil {
1397 return nil, err
1398 }
1399
1400 claims := auth.GetClaims(ctx)
1401 if !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectMembers {
1402 return nil, status.Error(codes.PermissionDenied, "not allowed to set project member roles")
1403 }
1404
1405 user, err := s.admin.DB.FindUserByEmail(ctx, req.Email)
1406 if err != nil {
1407 if !errors.Is(err, database.ErrNotFound) {
1408 return nil, err
1409 }
1410 // Check if there is a pending invite for this user
1411 invite, err := s.admin.DB.FindProjectInvite(ctx, proj.ID, req.Email)
1412 if err != nil {
1413 return nil, err
1414 }
1415 var role *database.ProjectRole
1416 if req.Role == nil {
1417 // keep existing role
1418 role, err = s.admin.DB.FindProjectRoleByID(ctx, invite.ProjectRoleID)
1419 if err != nil {
1420 return nil, err
1421 }
1422 } else {
1423 role, err = s.admin.DB.FindProjectRole(ctx, *req.Role)
1424 if err != nil {
1425 return nil, err
1426 }
1427 if role.Admin && !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectAdmins {
1428 return nil, status.Error(codes.PermissionDenied, "as a non-admin you are not allowed to assign an admin role")
1429 }
1430 }
1431
1432 var restrictResources bool

Callers

nothing calls this directly

Calls 15

AddRequestAttributesFunction · 0.92
GetClaimsFunction · 0.92
resourcesStringFunction · 0.85
resourceNamesFromProtoFunction · 0.85
valOrDefaultFunction · 0.70
StringMethod · 0.65
FindProjectByNameMethod · 0.65
ProjectPermissionsMethod · 0.65
FindUserByEmailMethod · 0.65
FindProjectInviteMethod · 0.65
FindProjectRoleByIDMethod · 0.65
FindProjectRoleMethod · 0.65

Tested by

no test coverage detected