(ctx context.Context, rw http.ResponseWriter, member httpmw.OrganizationMember, organization database.Organization)
| 473 | } |
| 474 | |
| 475 | func (api *API) allowChangingMemberRoles(ctx context.Context, rw http.ResponseWriter, member httpmw.OrganizationMember, organization database.Organization) bool { |
| 476 | // nolint:gocritic // The caller could be an org admin without this perm. |
| 477 | // We need to disable manual role assignment if role sync is enabled for |
| 478 | // the given organization. |
| 479 | user, err := api.Database.GetUserByID(dbauthz.AsSystemRestricted(ctx), member.UserID) |
| 480 | if err != nil { |
| 481 | httpapi.InternalServerError(rw, err) |
| 482 | return false |
| 483 | } |
| 484 | |
| 485 | if user.LoginType == database.LoginTypeOIDC { |
| 486 | // nolint:gocritic // fetching settings |
| 487 | orgSync, err := api.IDPSync.OrganizationRoleSyncEnabled(dbauthz.AsSystemRestricted(ctx), api.Database, organization.ID) |
| 488 | if err != nil { |
| 489 | httpapi.InternalServerError(rw, err) |
| 490 | return false |
| 491 | } |
| 492 | if orgSync { |
| 493 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 494 | Message: "Cannot modify roles for OIDC users when role sync is enabled. This organization member's roles are managed by the identity provider. Have the user re-login to refresh their roles.", |
| 495 | Detail: "'User Role Field' is set in the organization settings. Ask an administrator to adjust or disable these settings.", |
| 496 | }) |
| 497 | return false |
| 498 | } |
| 499 | } |
| 500 | |
| 501 | return true |
| 502 | } |
| 503 | |
| 504 | // convertOrganizationMembers batches the role lookup to make only 1 sql call |
| 505 | // We |
no test coverage detected