From 63be27d17a70f5e8aabfea96ad98180fe7544ac5 Mon Sep 17 00:00:00 2001 From: "Jose I. Paris" Date: Fri, 11 Jul 2025 10:29:29 +0200 Subject: [PATCH] make requester optional Signed-off-by: Jose I. Paris --- app/controlplane/pkg/biz/group.go | 44 ++++++++++++++++--------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/app/controlplane/pkg/biz/group.go b/app/controlplane/pkg/biz/group.go index e3c53619e..70f33cd96 100644 --- a/app/controlplane/pkg/biz/group.go +++ b/app/controlplane/pkg/biz/group.go @@ -617,31 +617,33 @@ func (uc *GroupUseCase) RemoveMemberFromGroup(ctx context.Context, orgID uuid.UU return NewErrNotFound("group") } - // Check if the requester is part of the organization - requesterMembership, err := uc.membershipRepo.FindByOrgAndUser(ctx, orgID, opts.RequesterID) - if err != nil && !IsNotFound(err) { - return NewErrValidationStr("failed to check existing membership") - } + if opts.RequesterID != uuid.Nil { + // Check if the requester is part of the organization + requesterMembership, err := uc.membershipRepo.FindByOrgAndUser(ctx, orgID, opts.RequesterID) + if err != nil && !IsNotFound(err) { + return NewErrValidationStr("failed to check existing membership") + } - if requesterMembership == nil { - return NewErrValidationStr("requester is not a member of the organization") - } + if requesterMembership == nil { + return NewErrValidationStr("requester is not a member of the organization") + } - // Check if the requester has sufficient permissions - // Allow if the requester is an org owner or admin - isAdminOrOwner := requesterMembership.Role == authz.RoleOwner || requesterMembership.Role == authz.RoleAdmin + // Check if the requester has sufficient permissions + // Allow if the requester is an org owner or admin + isAdminOrOwner := requesterMembership.Role == authz.RoleOwner || requesterMembership.Role == authz.RoleAdmin - // If not an admin/owner, check if the requester is a maintainer of this group - if !isAdminOrOwner { - // Check if the requester is a maintainer of this group - requesterGroupMembership, err := uc.membershipRepo.FindByUserAndResourceID(ctx, opts.RequesterID, resolvedGroupID) - if err != nil && !IsNotFound(err) { - return fmt.Errorf("failed to check requester's group membership: %w", err) - } + // If not an admin/owner, check if the requester is a maintainer of this group + if !isAdminOrOwner { + // Check if the requester is a maintainer of this group + requesterGroupMembership, err := uc.membershipRepo.FindByUserAndResourceID(ctx, opts.RequesterID, resolvedGroupID) + if err != nil && !IsNotFound(err) { + return fmt.Errorf("failed to check requester's group membership: %w", err) + } - // If not a maintainer of this group, deny access - if requesterGroupMembership == nil || requesterGroupMembership.Role != authz.RoleGroupMaintainer { - return NewErrValidationStr("requester does not have permission to add members to this group") + // If not a maintainer of this group, deny access + if requesterGroupMembership == nil || requesterGroupMembership.Role != authz.RoleGroupMaintainer { + return NewErrValidationStr("requester does not have permission to add members to this group") + } } }