Skip to content

Commit 76e95c6

Browse files
authored
chore(rbac): Revert Prevent user with org viewer role to become group maintainers (#2272)
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
1 parent 80105cb commit 76e95c6

2 files changed

Lines changed: 10 additions & 29 deletions

File tree

app/controlplane/pkg/biz/group.go

Lines changed: 0 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -589,11 +589,6 @@ func (uc *GroupUseCase) addExistingUserToGroup(ctx context.Context, orgID, group
589589
return nil, NewErrAlreadyExistsStr("user is already a member of this group")
590590
}
591591

592-
// If trying to make the user a maintainer, verify they don't have the org viewer role
593-
if opts.Maintainer && userMembership.Role == authz.RoleViewer {
594-
return nil, NewErrValidationStr("users with organization viewer role cannot be group maintainers")
595-
}
596-
597592
// Add the user to the group
598593
membership, err := uc.groupRepo.AddMemberToGroup(ctx, orgID, groupID, userUUID, opts.Maintainer)
599594
if err != nil {
@@ -800,20 +795,6 @@ func (uc *GroupUseCase) UpdateMemberMaintainerStatus(ctx context.Context, orgID
800795
return NewErrValidationStr("user is not a member of this group")
801796
}
802797

803-
// If trying to make the user a maintainer, verify they don't have the org viewer role
804-
if opts.IsMaintainer {
805-
// Check the user's org role
806-
userOrgMembership, err := uc.membershipRepo.FindByOrgAndUser(ctx, orgID, userUUID)
807-
if err != nil {
808-
return fmt.Errorf("failed to check user's organization role: %w", err)
809-
}
810-
811-
// Prevent org viewers from becoming maintainers
812-
if userOrgMembership.Role == authz.RoleViewer {
813-
return NewErrValidationStr("users with organization viewer role cannot be group maintainers")
814-
}
815-
}
816-
817798
// Update the member's maintainer status
818799
if err := uc.groupRepo.UpdateMemberMaintainerStatus(ctx, orgID, resolvedGroupID, userUUID, opts.IsMaintainer); err != nil {
819800
return fmt.Errorf("failed to update member maintainer status: %w", err)

app/controlplane/pkg/biz/group_integration_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -888,7 +888,7 @@ func (s *groupMembersIntegrationTestSuite) TestAddMemberToGroup() {
888888
// Add users to organization
889889
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
890890
require.NoError(s.T(), err)
891-
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
891+
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
892892
require.NoError(s.T(), err)
893893

894894
s.Run("add member using group ID", func() {
@@ -1128,11 +1128,11 @@ func (s *groupMembersIntegrationTestSuite) TestRemoveMemberFromGroup() {
11281128
require.NoError(s.T(), err)
11291129

11301130
// Add users to organization
1131-
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1131+
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
11321132
require.NoError(s.T(), err)
1133-
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1133+
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
11341134
require.NoError(s.T(), err)
1135-
_, err = s.Membership.Create(ctx, s.org.ID, user4.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1135+
_, err = s.Membership.Create(ctx, s.org.ID, user4.ID)
11361136
require.NoError(s.T(), err)
11371137

11381138
// Add users to the group
@@ -1358,9 +1358,9 @@ func (s *groupMembersIntegrationTestSuite) TestGroupMemberCount() {
13581358
require.NoError(s.T(), err)
13591359

13601360
// Add users to organization
1361-
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1361+
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
13621362
require.NoError(s.T(), err)
1363-
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1363+
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
13641364
require.NoError(s.T(), err)
13651365

13661366
// Check initial member count
@@ -1461,9 +1461,9 @@ func (s *groupMembersIntegrationTestSuite) TestUpdateMemberMaintainerStatus() {
14611461
require.NoError(s.T(), err)
14621462

14631463
// Add users to organization
1464-
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1464+
_, err = s.Membership.Create(ctx, s.org.ID, user2.ID)
14651465
require.NoError(s.T(), err)
1466-
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1466+
_, err = s.Membership.Create(ctx, s.org.ID, user3.ID)
14671467
require.NoError(s.T(), err)
14681468

14691469
// Add users to the group (user2 as a regular member, user3 as a maintainer)
@@ -1888,7 +1888,7 @@ func (s *groupMembersIntegrationTestSuite) TestAddMemberToGroupSystemCall() {
18881888
require.NoError(s.T(), err)
18891889

18901890
// Add user to organization
1891-
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1891+
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID)
18921892
require.NoError(s.T(), err)
18931893

18941894
// Add the user to the group without a requester ID (system call)
@@ -1936,7 +1936,7 @@ func (s *groupMembersIntegrationTestSuite) TestUpdateMemberMaintainerStatusSyste
19361936
require.NoError(s.T(), err)
19371937

19381938
// Add user to organization
1939-
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID, biz.WithMembershipRole(authz.RoleOrgMember))
1939+
_, err = s.Membership.Create(ctx, s.org.ID, systemUser.ID)
19401940
require.NoError(s.T(), err)
19411941

19421942
// First add the user to the group (with requester ID for this setup step)

0 commit comments

Comments
 (0)