fix: missing organization roles to user when added as member (#389)

Signed-off-by: Kush Sharma <[email protected]>

core/organization/organization.go

@@ -20,7 +20,9 @@ const (
 	Disabled State = "disabled"
 
 	AdminPermission = schema.UpdatePermission
-	AdminRole       = schema.OwnerRelationName
+	AdminRelation   = schema.OwnerRelationName
+	AdminRole       = schema.RoleOrganizationOwner
+	MemberRole      = schema.RoleOrganizationViewer
 )
 
 type Repository interface {

core/organization/service.go

@@ -143,6 +143,19 @@ func (s Service) Create(ctx context.Context, org Organization) (Organization, er
 }
 
 func (s Service) AddMember(ctx context.Context, orgID, relationName string, principal authenticate.Principal) error {
+	roleID := MemberRole
+	if relationName == schema.OwnerRelationName {
+		roleID = AdminRole
+	}
+	if _, err := s.policyService.Create(ctx, policy.Policy{
+		RoleID:        roleID,
+		ResourceID:    orgID,
+		ResourceType:  schema.OrganizationNamespace,
+		PrincipalID:   principal.ID,
+		PrincipalType: principal.Type,
+	}); err != nil {
+		return err
+	}
 	if _, err := s.relationService.Create(ctx, relation.Relation{
 		Object: relation.Object{
 			ID:        orgID,

internal/bootstrap/schema/schema.go

@@ -69,11 +69,15 @@ const (
 	SuperUserPrincipal   = "app/superuser"
 
 	// Roles
+	RoleOrganizationViewer = "app_organization_viewer"
+	RoleOrganizationOwner  = "app_organization_owner"
+
 	RoleProjectOwner   = "app_project_owner"
 	RoleProjectManager = "app_project_manager"
 	RoleProjectViewer  = "app_project_viewer"
-	GroupOwnerRole     = "app_group_owner"
-	GroupMemberRole    = "app_group_member"
+
+	GroupOwnerRole  = "app_group_owner"
+	GroupMemberRole = "app_group_member"
 )
 
 var (
@@ -259,7 +263,7 @@ var PredefinedRoles = []RoleDefinition{
 	// org
 	{
 		Title: "Organization Owner",
-		Name:  "app_organization_owner",
+		Name:  RoleOrganizationOwner,
 		Permissions: []string{
 			"app_organization_administer",
 		},
@@ -292,7 +296,7 @@ var PredefinedRoles = []RoleDefinition{
 	},
 	{
 		Title: "Organization Viewer",
-		Name:  "app_organization_viewer",
+		Name:  RoleOrganizationViewer,
 		Permissions: []string{
 			"app_organization_get",
 		},

test/e2e/regression/api_test.go

@@ -108,6 +108,12 @@ func (s *APIRegressionTestSuite) TestOrganizationAPI() {
 		s.Assert().NoError(err)
 		s.Assert().Equal(1, len(orgUsersResp.GetUsers()))
 		s.Assert().Equal(testbench.OrgAdminEmail, orgUsersResp.GetUsers()[0].Email)
+
+		orgCreatedPolicies, err := s.testBench.AdminClient.ListPolicies(ctxOrgAdminAuth, &frontierv1beta1.ListPoliciesRequest{
+			OrgId: createOrgResp.GetOrganization().GetId(),
+		})
+		s.Assert().NoError(err)
+		s.Assert().Equal(1, len(orgCreatedPolicies.GetPolicies()))
 	})
 	s.Run("2. user attached to an org as member should have no basic permission other than membership", func() {
 		createOrgResp, err := s.testBench.Client.CreateOrganization(ctxOrgAdminAuth, &frontierv1beta1.CreateOrganizationRequest{
@@ -1021,7 +1027,7 @@ func (s *APIRegressionTestSuite) TestRelationAPI() {
 		_, err = s.testBench.Client.CreateRelation(ctxOrgAdminAuth, &frontierv1beta1.CreateRelationRequest{Body: &frontierv1beta1.RelationRequestBody{
 			Object:   schema.JoinNamespaceAndResourceID(schema.OrganizationNamespace, existingOrg.GetOrganization().GetId()),
 			Subject:  schema.JoinNamespaceAndResourceID(schema.UserPrincipal, createUserResp.GetUser().GetId()),
-			Relation: organization.AdminRole,
+			Relation: organization.AdminRelation,
 		}})
 		s.Assert().NoError(err)
 
@@ -1050,7 +1056,7 @@ func (s *APIRegressionTestSuite) TestRelationAPI() {
 		_, err = s.testBench.Client.CreateRelation(ctxOrgAdminAuth, &frontierv1beta1.CreateRelationRequest{Body: &frontierv1beta1.RelationRequestBody{
 			Object:   schema.JoinNamespaceAndResourceID(schema.OrganizationNamespace, existingOrg.GetOrganization().GetId()),
 			Subject:  schema.JoinNamespaceAndResourceID(schema.UserPrincipal, createUserResp.GetUser().GetId()),
-			Relation: organization.AdminRole,
+			Relation: organization.AdminRelation,
 		}})
 		s.Assert().NoError(err)