feat(backend): implement org member patch api (#12800)

2026-03-22 05:37:20 +08:00 · 2026-02-10 20:01:24 +07:00
parent 4a089a3a0d
commit f20c956196
6 changed files with 955 additions and 50 deletions
--- a/enterprise/server/constants.py
+++ b/enterprise/server/constants.py
@@ -15,6 +15,11 @@ IS_FEATURE_ENV = (
 )  # Does not include the staging deployment
 IS_LOCAL_ENV = bool(HOST == 'localhost')

+# Role name constants
+ROLE_OWNER = 'owner'
+ROLE_ADMIN = 'admin'
+ROLE_USER = 'user'
+
 # Deprecated - billing margins are now handled internally in litellm
 DEFAULT_BILLING_MARGIN = float(os.environ.get('DEFAULT_BILLING_MARGIN', '1.0'))

--- a/enterprise/server/routes/org_models.py
+++ b/enterprise/server/routes/org_models.py
@@ -59,7 +59,7 @@ class OrgMemberNotFoundError(Exception):
    def __init__(self, org_id: str, user_id: str):
        self.org_id = org_id
        self.user_id = user_id
-        super().__init__(f'Member not found in organization "{org_id}"')
+        super().__init__(f'Member "{user_id}" not found in organization "{org_id}"')


 class RoleNotFoundError(Exception):
@@ -70,6 +70,44 @@ class RoleNotFoundError(Exception):
        super().__init__(f'Role with id "{role_id}" not found')


+class InvalidRoleError(Exception):
+    """Raised when an invalid role name is specified."""
+
+    def __init__(self, role_name: str):
+        self.role_name = role_name
+        super().__init__(f'Invalid role: "{role_name}"')
+
+
+class InsufficientPermissionError(Exception):
+    """Raised when user lacks permission to perform an operation."""
+
+    def __init__(self, message: str = 'Insufficient permission'):
+        super().__init__(message)
+
+
+class CannotModifySelfError(Exception):
+    """Raised when user attempts to modify their own membership."""
+
+    def __init__(self, action: str = 'modify'):
+        self.action = action
+        super().__init__(f'Cannot {action} your own membership')
+
+
+class LastOwnerError(Exception):
+    """Raised when attempting to remove or demote the last owner."""
+
+    def __init__(self, action: str = 'remove'):
+        self.action = action
+        super().__init__(f'Cannot {action} the last owner of an organization')
+
+
+class MemberUpdateError(Exception):
+    """Raised when member update operation fails."""
+
+    def __init__(self, message: str = 'Failed to update member'):
+        super().__init__(message)
+
+
 class OrgCreate(BaseModel):
    """Request model for creating a new organization."""

@@ -217,6 +255,12 @@ class OrgMemberPage(BaseModel):
    next_page_id: str | None = None


+class OrgMemberUpdate(BaseModel):
+    """Request model for updating an organization member."""
+
+    role: str | None = None  # Role name: 'owner', 'admin', or 'user'
+
+
 class MeResponse(BaseModel):
    """Response model for the current user's membership in an organization."""

--- a/enterprise/server/routes/orgs.py
+++ b/enterprise/server/routes/orgs.py
@@ -4,13 +4,20 @@ from uuid import UUID
 from fastapi import APIRouter, Depends, HTTPException, Query, status
 from server.email_validation import get_admin_user_id
 from server.routes.org_models import (
+    CannotModifySelfError,
+    InsufficientPermissionError,
+    InvalidRoleError,
+    LastOwnerError,
    LiteLLMIntegrationError,
+    MemberUpdateError,
    MeResponse,
    OrgAuthorizationError,
    OrgCreate,
    OrgDatabaseError,
    OrgMemberNotFoundError,
    OrgMemberPage,
+    OrgMemberResponse,
+    OrgMemberUpdate,
    OrgNameExistsError,
    OrgNotFoundError,
    OrgPage,
@@ -678,3 +685,82 @@ async def switch_org(
            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
            detail='An unexpected error occurred',
        )
+
+
+@org_router.patch('/{org_id}/members/{user_id}', response_model=OrgMemberResponse)
+async def update_org_member(
+    org_id: str,
+    user_id: str,
+    update_data: OrgMemberUpdate,
+    current_user_id: str = Depends(get_user_id),
+) -> OrgMemberResponse:
+    """Update a member's role in an organization.
+
+    Permission rules:
+    - Admins can change roles of regular users to Admin or User
+    - Admins cannot modify other Admins or Owners
+    - Owners can change roles of Admins and Users to any role (Owner, Admin, User)
+    - Owners cannot modify other Owners
+
+    Users cannot modify their own role. The last owner cannot be demoted.
+    """
+    try:
+        return await OrgMemberService.update_org_member(
+            org_id=UUID(org_id),
+            target_user_id=UUID(user_id),
+            current_user_id=UUID(current_user_id),
+            update_data=update_data,
+        )
+    except OrgMemberNotFoundError as e:
+        # Distinguish between requester not being a member vs target not found
+        if str(current_user_id) in str(e):
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail='You are not a member of this organization',
+            )
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail='Member not found in this organization',
+        )
+    except CannotModifySelfError:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail='Cannot modify your own role',
+        )
+    except RoleNotFoundError:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Role configuration error',
+        )
+    except InvalidRoleError:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Invalid role specified',
+        )
+    except InsufficientPermissionError:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail='You do not have permission to modify this member',
+        )
+    except LastOwnerError:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Cannot demote the last owner of an organization',
+        )
+    except MemberUpdateError:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to update member',
+        )
+    except ValueError:
+        logger.exception('Invalid UUID format')
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail='Invalid organization or user ID format',
+        )
+    except Exception:
+        logger.exception('Error updating organization member')
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail='Failed to update member',
+        )
--- a/enterprise/server/services/org_member_service.py
+++ b/enterprise/server/services/org_member_service.py
@@ -2,11 +2,18 @@

 from uuid import UUID

+from server.constants import ROLE_ADMIN, ROLE_OWNER, ROLE_USER
 from server.routes.org_models import (
+    CannotModifySelfError,
+    InsufficientPermissionError,
+    InvalidRoleError,
+    LastOwnerError,
+    MemberUpdateError,
    MeResponse,
    OrgMemberNotFoundError,
    OrgMemberPage,
    OrgMemberResponse,
+    OrgMemberUpdate,
    RoleNotFoundError,
 )
 from storage.org_member_store import OrgMemberStore
@@ -15,10 +22,6 @@ from storage.user_store import UserStore

 from openhands.utils.async_utils import call_sync_from_async

-# Role rank constants
-OWNER_RANK = 10
-ADMIN_RANK = 20
-

 class OrgMemberService:
    """Service for organization member operations."""
@@ -149,14 +152,14 @@ class OrgMemberService:
            if not requester_role or not target_role:
                return False, 'role_not_found'

-            # Check permission based on role ranks
+            # Check permission based on roles
            if not OrgMemberService._can_remove_member(
-                requester_role.rank, target_role.rank
+                requester_role.name, target_role.name
            ):
                return False, 'insufficient_permission'

            # Check if removing the last owner
-            if target_role.rank == OWNER_RANK:
+            if target_role.name == ROLE_OWNER:
                if OrgMemberService._is_last_owner(org_id, target_user_id):
                    return False, 'cannot_remove_last_owner'

@@ -170,12 +173,160 @@ class OrgMemberService:
        return await call_sync_from_async(_remove_member)

    @staticmethod
-    def _can_remove_member(requester_rank: int, target_rank: int) -> bool:
-        """Check if requester can remove target based on role ranks."""
-        if requester_rank == OWNER_RANK:
+    async def update_org_member(
+        org_id: UUID,
+        target_user_id: UUID,
+        current_user_id: UUID,
+        update_data: OrgMemberUpdate,
+    ) -> OrgMemberResponse:
+        """Update a member's role in an organization.
+
+        Permission rules:
+        - Admins can change roles of users (rank > ADMIN_RANK) to Admin or User
+        - Admins cannot modify other Admins or Owners
+        - Owners can change roles of non-owners (rank > OWNER_RANK) to any role
+        - Owners cannot modify other Owners
+
+        Args:
+            org_id: Organization ID
+            target_user_id: User ID of the member to update
+            current_user_id: User ID of the requester
+            update_data: Update data containing fields to modify
+
+        Returns:
+            OrgMemberResponse: The updated member data
+
+        Raises:
+            OrgMemberNotFoundError: If requester or target is not a member
+            CannotModifySelfError: If trying to modify self
+            RoleNotFoundError: If role configuration is invalid
+            InvalidRoleError: If new_role_name is not a valid role
+            InsufficientPermissionError: If requester lacks permission
+            LastOwnerError: If trying to demote the last owner
+            MemberUpdateError: If update operation fails
+        """
+        new_role_name = update_data.role
+
+        def _update_member():
+            # Get current user's membership in the org
+            requester_membership = OrgMemberStore.get_org_member(
+                org_id, current_user_id
+            )
+            if not requester_membership:
+                raise OrgMemberNotFoundError(str(org_id), str(current_user_id))
+
+            # Check if trying to modify self
+            if str(current_user_id) == str(target_user_id):
+                raise CannotModifySelfError('modify')
+
+            # Get target user's membership
+            target_membership = OrgMemberStore.get_org_member(org_id, target_user_id)
+            if not target_membership:
+                raise OrgMemberNotFoundError(str(org_id), str(target_user_id))
+
+            # Get roles
+            requester_role = RoleStore.get_role_by_id(requester_membership.role_id)
+            target_role = RoleStore.get_role_by_id(target_membership.role_id)
+
+            if not requester_role:
+                raise RoleNotFoundError(requester_membership.role_id)
+            if not target_role:
+                raise RoleNotFoundError(target_membership.role_id)
+
+            # If no role change requested, return current state
+            if new_role_name is None:
+                user = UserStore.get_user_by_id(str(target_user_id))
+                return OrgMemberResponse(
+                    user_id=str(target_membership.user_id),
+                    email=user.email if user else None,
+                    role_id=target_membership.role_id,
+                    role_name=target_role.name,
+                    role_rank=target_role.rank,
+                    status=target_membership.status,
+                )
+
+            # Validate new role exists
+            new_role = RoleStore.get_role_by_name(new_role_name.lower())
+            if not new_role:
+                raise InvalidRoleError(new_role_name)
+
+            # Check permission to modify target
+            if not OrgMemberService._can_update_member_role(
+                requester_role.name, target_role.name, new_role.name
+            ):
+                raise InsufficientPermissionError(
+                    'You do not have permission to modify this member'
+                )
+
+            # Check if demoting the last owner
+            if (
+                target_role.name == ROLE_OWNER
+                and new_role.name != ROLE_OWNER
+                and OrgMemberService._is_last_owner(org_id, target_user_id)
+            ):
+                raise LastOwnerError('demote')
+
+            # Perform the update
+            updated_member = OrgMemberStore.update_user_role_in_org(
+                org_id, target_user_id, new_role.id
+            )
+            if not updated_member:
+                raise MemberUpdateError('Failed to update member')
+
+            # Get user email for response
+            user = UserStore.get_user_by_id(str(target_user_id))
+
+            return OrgMemberResponse(
+                user_id=str(updated_member.user_id),
+                email=user.email if user else None,
+                role_id=updated_member.role_id,
+                role_name=new_role.name,
+                role_rank=new_role.rank,
+                status=updated_member.status,
+            )
+
+        return await call_sync_from_async(_update_member)
+
+    @staticmethod
+    def _can_update_member_role(
+        requester_role_name: str, target_role_name: str, new_role_name: str
+    ) -> bool:
+        """Check if requester can change target's role to new_role.
+
+        Permission rules:
+        - Owners can modify admins and users, can set any role
+        - Owners cannot modify other owners
+        - Admins can only modify users
+        - Admins can only set admin or user roles (not owner)
+        """
+        is_requester_owner = requester_role_name == ROLE_OWNER
+        is_requester_admin = requester_role_name == ROLE_ADMIN
+        is_target_owner = target_role_name == ROLE_OWNER
+        is_target_admin = target_role_name == ROLE_ADMIN
+        is_new_role_owner = new_role_name == ROLE_OWNER
+
+        if is_requester_owner:
+            # Owners cannot modify other owners
+            if is_target_owner:
+                return False
+            # Owners can set any role (owner, admin, user)
            return True
-        elif requester_rank == ADMIN_RANK:
-            return target_rank > ADMIN_RANK
+        elif is_requester_admin:
+            # Admins cannot modify owners or other admins
+            if is_target_owner or is_target_admin:
+                return False
+            # Admins can only set admin or user roles (not owner)
+            return not is_new_role_owner
+        return False
+
+    @staticmethod
+    def _can_remove_member(requester_role_name: str, target_role_name: str) -> bool:
+        """Check if requester can remove target based on roles."""
+        if requester_role_name == ROLE_OWNER:
+            return True
+        elif requester_role_name == ROLE_ADMIN:
+            # Admins can only remove users (not owners or other admins)
+            return target_role_name == ROLE_USER
        return False

    @staticmethod
@@ -186,6 +337,6 @@ class OrgMemberService:
        for m in members:
            # Use role_id (column) instead of role (relationship) to avoid DetachedInstanceError
            role = RoleStore.get_role_by_id(m.role_id)
-            if role and role.rank == OWNER_RANK:
+            if role and role.name == ROLE_OWNER:
                owners.append(m)
        return len(owners) == 1 and str(owners[0].user_id) == str(user_id)