Skip to content

Commit

Permalink
add GetMembersByOrganization permission
Browse files Browse the repository at this point in the history
  • Loading branch information
@FoseFx
FoseFx committed Nov 18, 2024
1 parent 293cf6c commit 7af8324
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 20 deletions.
25 changes: 5 additions & 20 deletions services/user-svc/internal/organization/organization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -602,29 +602,14 @@ func (s ServiceServer) GetMembersByOrganization(
return nil, status.Error(codes.Internal, err.Error())
}

userID := auth.MustGetUserID(ctx)

doesOrganizationExist, err := organizationRepo.DoesOrganizationExist(ctx, organizationID)
err = hwdb.Error(ctx, err)
if err != nil {
return nil, err
} else if !doesOrganizationExist {
return &pb.GetMembersByOrganizationResponse{}, nil
}

hasAccess, err := organizationRepo.IsInOrganizationById(ctx, organization_repo.IsInOrganizationByIdParams{
Organizationid: organizationID,
Userid: userID,
})
err = hwdb.Error(ctx, err)
if err != nil {
// check permission
user := commonPerm.UserFromCtx(ctx)
check := hwauthz.NewPermissionCheck(
user, perm.OrganizationCanUserGetMembers, commonPerm.Organization(organizationID))
if err := s.authz.Must(ctx, check); err != nil {
return nil, err
}

if !hasAccess {
return nil, status.Error(codes.Unauthenticated, "Not a member of this organization")
}

members, err := organizationRepo.GetMembersByOrganization(ctx, organizationID)
err = hwdb.Error(ctx, err)
if err != nil {
Expand Down
1 change: 1 addition & 0 deletions services/user-svc/internal/organization/perm/perm.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ const (
OrganizationCanUserGet = "get"
OrganizationCanUserUpdate = "update"
OrganizationCanUserDelete = "delete"
OrganizationCanUserGetMembers = "get_members"
OrganizationCanUserInviteMember = "invite_member"
OrganizationCanUserRemoveMember = "remove_member"
)
1 change: 1 addition & 0 deletions spicedb/organization.zed
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ definition organization {

// all members can get the organization
permission get = membership;
permission get_members = get;

// (only) leaders can update and delete an organization
permission update = leadership;
Expand Down

0 comments on commit 7af8324

Please sign in to comment.