(ctx context.Context, req *adminv1.AddOrganizationMemberUsergroupRequest)
| 285 | } |
| 286 | |
| 287 | func (s *Server) AddOrganizationMemberUsergroup(ctx context.Context, req *adminv1.AddOrganizationMemberUsergroupRequest) (*adminv1.AddOrganizationMemberUsergroupResponse, error) { |
| 288 | observability.AddRequestAttributes(ctx, |
| 289 | attribute.String("args.org", req.Org), |
| 290 | attribute.String("args.usergroup", req.Usergroup), |
| 291 | attribute.String("args.role", req.Role), |
| 292 | ) |
| 293 | |
| 294 | usergroup, err := s.admin.DB.FindUsergroupByName(ctx, req.Org, req.Usergroup) |
| 295 | if err != nil { |
| 296 | return nil, err |
| 297 | } |
| 298 | |
| 299 | claims := auth.GetClaims(ctx) |
| 300 | if !claims.OrganizationPermissions(ctx, usergroup.OrgID).ManageOrgMembers { |
| 301 | return nil, status.Error(codes.PermissionDenied, "not allowed to set org user group role") |
| 302 | } |
| 303 | |
| 304 | if usergroup.Managed { |
| 305 | return nil, status.Error(codes.FailedPrecondition, "cannot edit managed user group") |
| 306 | } |
| 307 | |
| 308 | role, err := s.admin.DB.FindOrganizationRole(ctx, req.Role) |
| 309 | if err != nil { |
| 310 | return nil, err |
| 311 | } |
| 312 | if role.Admin && !claims.OrganizationPermissions(ctx, usergroup.OrgID).ManageOrgAdmins { |
| 313 | return nil, status.Error(codes.PermissionDenied, "as a non-admin you are not allowed to assign an admin role") |
| 314 | } |
| 315 | |
| 316 | err = s.admin.DB.InsertOrganizationMemberUsergroup(ctx, usergroup.ID, usergroup.OrgID, role.ID) |
| 317 | if err != nil { |
| 318 | return nil, err |
| 319 | } |
| 320 | |
| 321 | return &adminv1.AddOrganizationMemberUsergroupResponse{}, nil |
| 322 | } |
| 323 | |
| 324 | func (s *Server) SetOrganizationMemberUsergroupRole(ctx context.Context, req *adminv1.SetOrganizationMemberUsergroupRoleRequest) (*adminv1.SetOrganizationMemberUsergroupRoleResponse, error) { |
| 325 | observability.AddRequestAttributes(ctx, |
nothing calls this directly
no test coverage detected