MCPcopy Index your code
hub / github.com/rilldata/rill / SetProjectMemberUsergroupRole

Method SetProjectMemberUsergroupRole

admin/server/usergroups.go:467–543  ·  view source on GitHub ↗
(ctx context.Context, req *adminv1.SetProjectMemberUsergroupRoleRequest)

Source from the content-addressed store, hash-verified

465}
466
467func (s *Server) SetProjectMemberUsergroupRole(ctx context.Context, req *adminv1.SetProjectMemberUsergroupRoleRequest) (*adminv1.SetProjectMemberUsergroupRoleResponse, error) {
468 observability.AddRequestAttributes(ctx,
469 attribute.String("args.org", req.Org),
470 attribute.String("args.project", req.Project),
471 attribute.String("args.usergroup", req.Usergroup),
472 )
473 if req.Role != nil {
474 observability.AddRequestAttributes(ctx, attribute.String("args.role", *req.Role))
475 }
476 if req.RestrictResources != nil {
477 observability.AddRequestAttributes(ctx, attribute.Bool("args.restrict_resources", *req.RestrictResources))
478 }
479 if len(req.Resources) > 0 {
480 observability.AddRequestAttributes(ctx, attribute.StringSlice("args.resources", resourcesString(req.Resources)))
481 }
482
483 proj, err := s.admin.DB.FindProjectByName(ctx, req.Org, req.Project)
484 if err != nil {
485 return nil, err
486 }
487
488 claims := auth.GetClaims(ctx)
489 if !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectMembers {
490 return nil, status.Error(codes.PermissionDenied, "not allowed to set project user group role")
491 }
492
493 usergroup, err := s.admin.DB.FindUsergroupByName(ctx, req.Org, req.Usergroup)
494 if err != nil {
495 return nil, err
496 }
497
498 // figure out role to assign
499 var role *database.ProjectRole
500 if req.Role == nil {
501 // keep existing
502 role, err = s.admin.DB.FindProjectMemberUsergroupRole(ctx, usergroup.ID, proj.ID)
503 if err != nil {
504 return nil, err
505 }
506 } else {
507 role, err = s.admin.DB.FindProjectRole(ctx, *req.Role)
508 if err != nil {
509 return nil, err
510 }
511 if role.Admin && !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectAdmins {
512 return nil, status.Error(codes.PermissionDenied, "as a non-admin you are not allowed to remove an admin role")
513 }
514 }
515
516 keepExistingRestrictions := req.RestrictResources == nil && len(req.Resources) == 0
517 restrictResources := valOrDefault(req.RestrictResources, false)
518 resources := resourceNamesFromProto(req.Resources)
519
520 if keepExistingRestrictions {
521 ug, err := s.admin.DB.FindProjectMemberUsergroup(ctx, usergroup.ID, proj.ID)
522 if err != nil && !errors.Is(err, database.ErrNotFound) {
523 return nil, err
524 }

Callers

nothing calls this directly

Calls 14

AddRequestAttributesFunction · 0.92
GetClaimsFunction · 0.92
resourcesStringFunction · 0.85
resourceNamesFromProtoFunction · 0.85
valOrDefaultFunction · 0.70
StringMethod · 0.65
FindProjectByNameMethod · 0.65
ProjectPermissionsMethod · 0.65
FindUsergroupByNameMethod · 0.65
FindProjectRoleMethod · 0.65

Tested by

no test coverage detected