@@ -769,24 +769,25 @@ func (uc *GroupUseCase) UpdateMemberMaintainerStatus(ctx context.Context, orgID
769769 // Find the user by reference or email
770770 var userUUID uuid.UUID
771771 var userEmail string
772+ var userMembership * Membership
772773
773774 // If UserReference is provided, use it to resolve the user ID
774775 if opts .UserReference != nil && (opts .UserReference .ID != nil || opts .UserReference .Name != nil ) {
775776 // If ID is provided directly, use it
776777 if opts .UserReference .ID != nil {
777778 userUUID = * opts .UserReference .ID
778779 // Look up the user to verify they exist and get their email
779- user , err : = uc .membershipRepo .FindByOrgAndUser (ctx , orgID , userUUID )
780+ userMembership , err = uc .membershipRepo .FindByOrgAndUser (ctx , orgID , userUUID )
780781 if err != nil {
781782 return fmt .Errorf ("failed to find user by ID: %w" , err )
782783 }
783- if user == nil {
784+ if userMembership == nil {
784785 return NewErrNotFound ("user" )
785786 }
786- userEmail = user .User .Email
787+ userEmail = userMembership .User .Email
787788 } else if opts .UserReference .Name != nil {
788789 // If name (email) is provided, look up the user
789- userMembership , err : = uc .membershipRepo .FindByOrgIDAndUserEmail (ctx , orgID , * opts .UserReference .Name )
790+ userMembership , err = uc .membershipRepo .FindByOrgIDAndUserEmail (ctx , orgID , * opts .UserReference .Name )
790791 if err != nil && ! IsNotFound (err ) {
791792 return fmt .Errorf ("failed to find user by email: %w" , err )
792793 }
@@ -798,7 +799,7 @@ func (uc *GroupUseCase) UpdateMemberMaintainerStatus(ctx context.Context, orgID
798799 }
799800 } else {
800801 // Fall back to using UserEmail
801- userMembership , err : = uc .membershipRepo .FindByOrgIDAndUserEmail (ctx , orgID , * opts .UserReference .Name )
802+ userMembership , err = uc .membershipRepo .FindByOrgIDAndUserEmail (ctx , orgID , * opts .UserReference .Name )
802803 if err != nil && ! IsNotFound (err ) {
803804 return fmt .Errorf ("failed to find user by email: %w" , err )
804805 }
@@ -809,6 +810,11 @@ func (uc *GroupUseCase) UpdateMemberMaintainerStatus(ctx context.Context, orgID
809810 userEmail = * opts .UserReference .Name
810811 }
811812
813+ // illegal combination: org viewers cannot become maintainers
814+ if userMembership != nil && userMembership .Role == authz .RoleViewer && opts .IsMaintainer {
815+ return NewErrValidationStr ("org viewers cannot become group maintainers" )
816+ }
817+
812818 // Check if the user is a member of the group
813819 existingMembership , err := uc .groupRepo .FindGroupMembershipByGroupAndID (ctx , resolvedGroupID , userUUID )
814820 if err != nil && ! IsNotFound (err ) {
0 commit comments