chore(rbac): Set organization ID in all project memberships (#2184)

javirln · web-flow · commit 239da907a0be · 2025-07-03T11:16:32.000+02:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/app/controlplane/pkg/biz/project.go b/app/controlplane/pkg/biz/project.go
@@ -45,7 +45,7 @@ type ProjectsRepo interface {
 	// UpdateMemberRoleInProject updates the role of a user or group in a project.
 	UpdateMemberRoleInProject(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType, newRole authz.Role) (*ProjectMembership, error)
 	// FindProjectMembershipByProjectAndID finds a project membership by project ID and member ID (user or group).
-	FindProjectMembershipByProjectAndID(ctx context.Context, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*ProjectMembership, error)
+	FindProjectMembershipByProjectAndID(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*ProjectMembership, error)
 }
 
 // ProjectUseCase is a use case for projects
@@ -252,7 +252,7 @@ func (uc *ProjectUseCase) addUserToProject(ctx context.Context, orgID uuid.UUID,
 	userUUID := uuid.MustParse(userMembership.User.ID)
 
 	// Check if the user is already a member of the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, userUUID, authz.MembershipTypeUser)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
 	if err != nil && !IsNotFound(err) {
 		return nil, fmt.Errorf("failed to check existing membership: %w", err)
 	}
@@ -289,7 +289,7 @@ func (uc *ProjectUseCase) addGroupToProject(ctx context.Context, orgID uuid.UUID
 	}
 
 	// Check if the group already has membership in the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, resolvedGroupID, authz.MembershipTypeGroup)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
 	if err != nil && !IsNotFound(err) {
 		return nil, fmt.Errorf("failed to check existing group membership: %w", err)
 	}
@@ -371,7 +371,7 @@ func (uc *ProjectUseCase) removeUserFromProject(ctx context.Context, orgID uuid.
 	userUUID := uuid.MustParse(userMembership.User.ID)
 
 	// Check if the user is a member of the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, userUUID, authz.MembershipTypeUser)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing membership: %w", err)
 	}
@@ -406,7 +406,7 @@ func (uc *ProjectUseCase) removeGroupFromProject(ctx context.Context, orgID uuid
 	}
 
 	// Check if the group has membership in the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, resolvedGroupID, authz.MembershipTypeGroup)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing group membership: %w", err)
 	}
@@ -526,7 +526,8 @@ func (uc *ProjectUseCase) verifyRequesterHasPermissions(ctx context.Context, org
 	for _, m := range requesterMemberships {
 		if m.ResourceType == authz.ResourceTypeProject &&
 			m.ResourceID == projectID &&
-			m.Role == authz.RoleProjectAdmin {
+			m.Role == authz.RoleProjectAdmin &&
+			m.OrganizationID == orgID {
 			hasProjectAdminRole = true
 			break
 		}
@@ -610,7 +611,7 @@ func (uc *ProjectUseCase) updateUserRoleInProject(ctx context.Context, orgID uui
 	userUUID := uuid.MustParse(userMembership.User.ID)
 
 	// Check if the user is a member of the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, userUUID, authz.MembershipTypeUser)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing membership: %w", err)
 	}
@@ -652,7 +653,7 @@ func (uc *ProjectUseCase) updateGroupRoleInProject(ctx context.Context, orgID uu
 	}
 
 	// Check if the group has membership in the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, resolvedGroupID, authz.MembershipTypeGroup)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing group membership: %w", err)
 	}
diff --git a/app/controlplane/pkg/data/membership.go b/app/controlplane/pkg/data/membership.go
@@ -250,7 +250,7 @@ func (r *MembershipRepo) ListAllByUser(ctx context.Context, userID uuid.UUID) ([
 	mm, err := r.data.DB.Membership.Query().Where(
 		membership.MembershipTypeEQ(authz.MembershipTypeUser),
 		membership.MemberID(userID),
-	).All(ctx)
+	).WithOrganization().All(ctx)
 
 	if err != nil {
 		return nil, fmt.Errorf("failed to query memberships: %w", err)
diff --git a/app/controlplane/pkg/data/project.go b/app/controlplane/pkg/data/project.go
@@ -198,6 +198,7 @@ func (r *ProjectRepo) AddMemberToProject(ctx context.Context, orgID uuid.UUID, p
 
 	// Create the membership
 	if _, err := r.data.DB.Membership.Create().
+		SetOrganizationID(orgID).
 		SetMembershipType(membershipType).
 		SetMemberID(memberID).
 		SetResourceType(authz.ResourceTypeProject).
@@ -208,7 +209,7 @@ func (r *ProjectRepo) AddMemberToProject(ctx context.Context, orgID uuid.UUID, p
 	}
 
 	// Return the created membership
-	return r.FindProjectMembershipByProjectAndID(ctx, projectID, memberID, membershipType)
+	return r.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, memberID, membershipType)
 }
 
 // RemoveMemberFromProject removes a user or group from a project
@@ -223,7 +224,7 @@ func (r *ProjectRepo) RemoveMemberFromProject(ctx context.Context, orgID uuid.UU
 	}
 
 	// Find the membership to delete
-	m, err := r.queryMembership(projectID, memberID, membershipType).Only(ctx)
+	m, err := r.queryMembership(orgID, projectID, memberID, membershipType).Only(ctx)
 
 	if err != nil {
 		if ent.IsNotFound(err) {
@@ -241,9 +242,9 @@ func (r *ProjectRepo) RemoveMemberFromProject(ctx context.Context, orgID uuid.UU
 }
 
 // FindProjectMembershipByProjectAndID finds a project membership by project ID and member ID (user or group)
-func (r *ProjectRepo) FindProjectMembershipByProjectAndID(ctx context.Context, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*biz.ProjectMembership, error) {
+func (r *ProjectRepo) FindProjectMembershipByProjectAndID(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*biz.ProjectMembership, error) {
 	// Find the membership
-	m, err := r.queryMembership(projectID, memberID, membershipType).Only(ctx)
+	m, err := r.queryMembership(orgID, projectID, memberID, membershipType).Only(ctx)
 
 	if err != nil {
 		if ent.IsNotFound(err) {
@@ -302,7 +303,7 @@ func (r *ProjectRepo) UpdateMemberRoleInProject(ctx context.Context, orgID uuid.
 	}
 
 	// Find the membership to update
-	m, err := r.queryMembership(projectID, memberID, membershipType).Only(ctx)
+	m, err := r.queryMembership(orgID, projectID, memberID, membershipType).Only(ctx)
 
 	if err != nil {
 		if ent.IsNotFound(err) {
@@ -321,9 +322,12 @@ func (r *ProjectRepo) UpdateMemberRoleInProject(ctx context.Context, orgID uuid.
 }
 
 // queryMembership is a helper function to build a common membership query
-func (r *ProjectRepo) queryMembership(projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) *ent.MembershipQuery {
+func (r *ProjectRepo) queryMembership(orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) *ent.MembershipQuery {
 	return r.data.DB.Membership.Query().
 		Where(
+			membership.HasOrganizationWith(
+				organization.ID(orgID),
+			),
 			membership.MembershipTypeEQ(membershipType),
 			membership.MemberID(memberID),
 			membership.ResourceTypeEQ(authz.ResourceTypeProject),

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ type ProjectsRepo interface {`
`45`	`45`	`// UpdateMemberRoleInProject updates the role of a user or group in a project.`
`46`	`46`	`UpdateMemberRoleInProject(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType, newRole authz.Role) (*ProjectMembership, error)`
`47`	`47`	`// FindProjectMembershipByProjectAndID finds a project membership by project ID and member ID (user or group).`
`48`		`- FindProjectMembershipByProjectAndID(ctx context.Context, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*ProjectMembership, error)`
	`48`	`+ FindProjectMembershipByProjectAndID(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*ProjectMembership, error)`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`// ProjectUseCase is a use case for projects`
`@@ -252,7 +252,7 @@ func (uc *ProjectUseCase) addUserToProject(ctx context.Context, orgID uuid.UUID,`
`252`	`252`	`userUUID := uuid.MustParse(userMembership.User.ID)`
`253`	`253`
`254`	`254`	`// Check if the user is already a member of the project`
`255`		`- existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, userUUID, authz.MembershipTypeUser)`
	`255`	`+ existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)`
`256`	`256`	`if err != nil && !IsNotFound(err) {`
`257`	`257`	`return nil, fmt.Errorf("failed to check existing membership: %w", err)`
`258`	`258`	`}`
`@@ -289,7 +289,7 @@ func (uc *ProjectUseCase) addGroupToProject(ctx context.Context, orgID uuid.UUID`
`289`	`289`	`}`
`290`	`290`
`291`	`291`	`// Check if the group already has membership in the project`
`292`		`- existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, resolvedGroupID, authz.MembershipTypeGroup)`
	`292`	`+ existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)`
`293`	`293`	`if err != nil && !IsNotFound(err) {`
`294`	`294`	`return nil, fmt.Errorf("failed to check existing group membership: %w", err)`
`295`	`295`	`}`
`@@ -371,7 +371,7 @@ func (uc *ProjectUseCase) removeUserFromProject(ctx context.Context, orgID uuid.`
`371`	`371`	`userUUID := uuid.MustParse(userMembership.User.ID)`
`372`	`372`
`373`	`373`	`// Check if the user is a member of the project`
`374`		`- existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, userUUID, authz.MembershipTypeUser)`
	`374`	`+ existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)`
`375`	`375`	`if err != nil && !IsNotFound(err) {`
`376`	`376`	`return fmt.Errorf("failed to check existing membership: %w", err)`
`377`	`377`	`}`
`@@ -406,7 +406,7 @@ func (uc *ProjectUseCase) removeGroupFromProject(ctx context.Context, orgID uuid`
`406`	`406`	`}`
`407`	`407`
`408`	`408`	`// Check if the group has membership in the project`
`409`		`- existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, resolvedGroupID, authz.MembershipTypeGroup)`
	`409`	`+ existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)`
`410`	`410`	`if err != nil && !IsNotFound(err) {`
`411`	`411`	`return fmt.Errorf("failed to check existing group membership: %w", err)`
`412`	`412`	`}`
`@@ -526,7 +526,8 @@ func (uc *ProjectUseCase) verifyRequesterHasPermissions(ctx context.Context, org`
`526`	`526`	`for _, m := range requesterMemberships {`
`527`	`527`	`if m.ResourceType == authz.ResourceTypeProject &&`
`528`	`528`	`m.ResourceID == projectID &&`
`529`		`- m.Role == authz.RoleProjectAdmin {`
	`529`	`+ m.Role == authz.RoleProjectAdmin &&`
	`530`	`+ m.OrganizationID == orgID {`
`530`	`531`	`hasProjectAdminRole = true`
`531`	`532`	`break`
`532`	`533`	`}`
`@@ -610,7 +611,7 @@ func (uc *ProjectUseCase) updateUserRoleInProject(ctx context.Context, orgID uui`
`610`	`611`	`userUUID := uuid.MustParse(userMembership.User.ID)`
`611`	`612`
`612`	`613`	`// Check if the user is a member of the project`
`613`		`- existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, userUUID, authz.MembershipTypeUser)`
	`614`	`+ existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)`
`614`	`615`	`if err != nil && !IsNotFound(err) {`
`615`	`616`	`return fmt.Errorf("failed to check existing membership: %w", err)`
`616`	`617`	`}`
`@@ -652,7 +653,7 @@ func (uc *ProjectUseCase) updateGroupRoleInProject(ctx context.Context, orgID uu`
`652`	`653`	`}`
`653`	`654`
`654`	`655`	`// Check if the group has membership in the project`
`655`		`- existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, projectID, resolvedGroupID, authz.MembershipTypeGroup)`
	`656`	`+ existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)`
`656`	`657`	`if err != nil && !IsNotFound(err) {`
`657`	`658`	`return fmt.Errorf("failed to check existing group membership: %w", err)`
`658`	`659`	`}`