(ctx context.Context, req *adminv1.AddProjectMemberUsergroupRequest)
| 403 | } |
| 404 | |
| 405 | func (s *Server) AddProjectMemberUsergroup(ctx context.Context, req *adminv1.AddProjectMemberUsergroupRequest) (*adminv1.AddProjectMemberUsergroupResponse, error) { |
| 406 | observability.AddRequestAttributes(ctx, |
| 407 | attribute.String("args.org", req.Org), |
| 408 | attribute.String("args.project", req.Project), |
| 409 | attribute.String("args.usergroup", req.Usergroup), |
| 410 | attribute.String("args.role", req.Role), |
| 411 | ) |
| 412 | if req.RestrictResources != nil { |
| 413 | observability.AddRequestAttributes(ctx, attribute.Bool("args.restrict_resources", req.GetRestrictResources())) |
| 414 | } |
| 415 | if len(req.Resources) > 0 { |
| 416 | observability.AddRequestAttributes(ctx, attribute.StringSlice("args.resources", resourcesString(req.Resources))) |
| 417 | } |
| 418 | |
| 419 | proj, err := s.admin.DB.FindProjectByName(ctx, req.Org, req.Project) |
| 420 | if err != nil { |
| 421 | return nil, err |
| 422 | } |
| 423 | |
| 424 | claims := auth.GetClaims(ctx) |
| 425 | if !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectMembers { |
| 426 | return nil, status.Error(codes.PermissionDenied, "not allowed to add project user group role") |
| 427 | } |
| 428 | |
| 429 | role, err := s.admin.DB.FindProjectRole(ctx, req.Role) |
| 430 | if err != nil { |
| 431 | return nil, err |
| 432 | } |
| 433 | if role.Admin && !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectAdmins { |
| 434 | return nil, status.Error(codes.PermissionDenied, "as a non-admin you are not allowed to assign an admin role") |
| 435 | } |
| 436 | |
| 437 | usergroup, err := s.admin.DB.FindUsergroupByName(ctx, req.Org, req.Usergroup) |
| 438 | if err != nil { |
| 439 | return nil, err |
| 440 | } |
| 441 | |
| 442 | keepExistingRestrictions := req.RestrictResources == nil && len(req.Resources) == 0 |
| 443 | restrictResources := valOrDefault(req.RestrictResources, false) || len(req.Resources) > 0 |
| 444 | resources := resourceNamesFromProto(req.Resources) |
| 445 | |
| 446 | err = s.admin.DB.InsertProjectMemberUsergroup(ctx, usergroup.ID, proj.ID, role.ID, restrictResources, resources) |
| 447 | if err != nil { |
| 448 | if !errors.Is(err, database.ErrNotUnique) { |
| 449 | return nil, err |
| 450 | } |
| 451 | if keepExistingRestrictions { |
| 452 | ug, err := s.admin.DB.FindProjectMemberUsergroup(ctx, usergroup.ID, proj.ID) |
| 453 | if err != nil { |
| 454 | return nil, err |
| 455 | } |
| 456 | restrictResources = ug.RestrictResources |
| 457 | resources = ug.Resources |
| 458 | } |
| 459 | if err := s.admin.DB.UpdateProjectMemberUsergroup(ctx, usergroup.ID, proj.ID, role.ID, restrictResources, resources); err != nil { |
| 460 | return nil, err |
| 461 | } |
| 462 | } |
nothing calls this directly
no test coverage detected