(ctx context.Context, req *adminv1.SetProjectMemberUsergroupRoleRequest)
| 465 | } |
| 466 | |
| 467 | func (s *Server) SetProjectMemberUsergroupRole(ctx context.Context, req *adminv1.SetProjectMemberUsergroupRoleRequest) (*adminv1.SetProjectMemberUsergroupRoleResponse, error) { |
| 468 | observability.AddRequestAttributes(ctx, |
| 469 | attribute.String("args.org", req.Org), |
| 470 | attribute.String("args.project", req.Project), |
| 471 | attribute.String("args.usergroup", req.Usergroup), |
| 472 | ) |
| 473 | if req.Role != nil { |
| 474 | observability.AddRequestAttributes(ctx, attribute.String("args.role", *req.Role)) |
| 475 | } |
| 476 | if req.RestrictResources != nil { |
| 477 | observability.AddRequestAttributes(ctx, attribute.Bool("args.restrict_resources", *req.RestrictResources)) |
| 478 | } |
| 479 | if len(req.Resources) > 0 { |
| 480 | observability.AddRequestAttributes(ctx, attribute.StringSlice("args.resources", resourcesString(req.Resources))) |
| 481 | } |
| 482 | |
| 483 | proj, err := s.admin.DB.FindProjectByName(ctx, req.Org, req.Project) |
| 484 | if err != nil { |
| 485 | return nil, err |
| 486 | } |
| 487 | |
| 488 | claims := auth.GetClaims(ctx) |
| 489 | if !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectMembers { |
| 490 | return nil, status.Error(codes.PermissionDenied, "not allowed to set project user group role") |
| 491 | } |
| 492 | |
| 493 | usergroup, err := s.admin.DB.FindUsergroupByName(ctx, req.Org, req.Usergroup) |
| 494 | if err != nil { |
| 495 | return nil, err |
| 496 | } |
| 497 | |
| 498 | // figure out role to assign |
| 499 | var role *database.ProjectRole |
| 500 | if req.Role == nil { |
| 501 | // keep existing |
| 502 | role, err = s.admin.DB.FindProjectMemberUsergroupRole(ctx, usergroup.ID, proj.ID) |
| 503 | if err != nil { |
| 504 | return nil, err |
| 505 | } |
| 506 | } else { |
| 507 | role, err = s.admin.DB.FindProjectRole(ctx, *req.Role) |
| 508 | if err != nil { |
| 509 | return nil, err |
| 510 | } |
| 511 | if role.Admin && !claims.ProjectPermissions(ctx, proj.OrganizationID, proj.ID).ManageProjectAdmins { |
| 512 | return nil, status.Error(codes.PermissionDenied, "as a non-admin you are not allowed to remove an admin role") |
| 513 | } |
| 514 | } |
| 515 | |
| 516 | keepExistingRestrictions := req.RestrictResources == nil && len(req.Resources) == 0 |
| 517 | restrictResources := valOrDefault(req.RestrictResources, false) |
| 518 | resources := resourceNamesFromProto(req.Resources) |
| 519 | |
| 520 | if keepExistingRestrictions { |
| 521 | ug, err := s.admin.DB.FindProjectMemberUsergroup(ctx, usergroup.ID, proj.ID) |
| 522 | if err != nil && !errors.Is(err, database.ErrNotFound) { |
| 523 | return nil, err |
| 524 | } |
nothing calls this directly
no test coverage detected