(ctx context.Context, req *adminv1.SetProjectMemberUserRoleRequest)
| 1373 | } |
| 1374 | |
| 1375 | func (s *Server) SetProjectMemberUserRole(ctx context.Context, req *adminv1.SetProjectMemberUserRoleRequest) (*adminv1.SetProjectMemberUserRoleResponse, error) { |
| 1376 | observability.AddRequestAttributes(ctx, |
| 1377 | attribute.String("args.org", req.Org), |
| 1378 | attribute.String("args.email", req.Email), |
| 1379 | attribute.String("args.project", req.Project), |
| 1380 | ) |
| 1381 | if req.Role != nil { |
| 1382 | observability.AddRequestAttributes(ctx, attribute.String("args.role", *req.Role)) |
| 1383 | } |
| 1384 | if req.RestrictResources != nil { |
| 1385 | observability.AddRequestAttributes(ctx, attribute.Bool("args.restrict_resources", *req.RestrictResources)) |
| 1386 | } |
| 1387 | if len(req.Resources) > 0 { |
| 1388 | observability.AddRequestAttributes(ctx, attribute.StringSlice("args.resources", resourcesString(req.Resources))) |
| 1389 | } |
| 1390 | |
| 1391 | if req.Role == nil && req.RestrictResources == nil && len(req.Resources) == 0 { |
| 1392 | return nil, status.Error(codes.InvalidArgument, "at least one of role, restrict_resources, or resources must be set") |
| 1393 | } |
| 1394 | |
| 1395 | proj, err := s.admin.DB.FindProjectByName(ctx, req.Org, req.Project) |
| 1396 | if err != nil { |
| 1397 | return nil, err |
| 1398 | } |
| 1399 | |
| 1400 | claims := auth.GetClaims(ctx) |
| 1401 | if !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectMembers { |
| 1402 | return nil, status.Error(codes.PermissionDenied, "not allowed to set project member roles") |
| 1403 | } |
| 1404 | |
| 1405 | user, err := s.admin.DB.FindUserByEmail(ctx, req.Email) |
| 1406 | if err != nil { |
| 1407 | if !errors.Is(err, database.ErrNotFound) { |
| 1408 | return nil, err |
| 1409 | } |
| 1410 | // Check if there is a pending invite for this user |
| 1411 | invite, err := s.admin.DB.FindProjectInvite(ctx, proj.ID, req.Email) |
| 1412 | if err != nil { |
| 1413 | return nil, err |
| 1414 | } |
| 1415 | var role *database.ProjectRole |
| 1416 | if req.Role == nil { |
| 1417 | // keep existing role |
| 1418 | role, err = s.admin.DB.FindProjectRoleByID(ctx, invite.ProjectRoleID) |
| 1419 | if err != nil { |
| 1420 | return nil, err |
| 1421 | } |
| 1422 | } else { |
| 1423 | role, err = s.admin.DB.FindProjectRole(ctx, *req.Role) |
| 1424 | if err != nil { |
| 1425 | return nil, err |
| 1426 | } |
| 1427 | if role.Admin && !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectAdmins { |
| 1428 | return nil, status.Error(codes.PermissionDenied, "as a non-admin you are not allowed to assign an admin role") |
| 1429 | } |
| 1430 | } |
| 1431 | |
| 1432 | var restrictResources bool |
nothing calls this directly
no test coverage detected