@@ -216,31 +216,9 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
216216 aReq .Old = member .OrganizationMember .Auditable (member .Username )
217217 defer commitAudit ()
218218
219- // Keep this block scoping to prevent accidental use of the user variable.
220- {
221- // nolint:gocritic // The caller could be an org admin without this perm.
222- // We need to disable manual role assignment if role sync is enabled for
223- // the given organization.
224- user , err := api .Database .GetUserByID (dbauthz .AsSystemRestricted (ctx ), member .UserID )
225- if err != nil {
226- httpapi .InternalServerError (rw , err )
227- return
228- }
229- if user .LoginType == database .LoginTypeOIDC {
230- // nolint:gocritic // fetching settings
231- orgSync , err := api .IDPSync .OrganizationRoleSyncEnabled (dbauthz .AsSystemRestricted (ctx ), api .Database , organization .ID )
232- if err != nil {
233- httpapi .InternalServerError (rw , err )
234- return
235- }
236- if orgSync {
237- httpapi .Write (ctx , rw , http .StatusBadRequest , codersdk.Response {
238- Message : "Cannot modify roles for OIDC users when role sync is enabled. This organization member's roles are managed by the identity provider." ,
239- Detail : "'User Role Field' is set in the organization settings. Ask an administrator to adjust or disable these settings." ,
240- })
241- return
242- }
243- }
219+ // Check if changing roles is allowed
220+ if ! api .allowChangingMemberRoles (rw , ctx , member , organization ) {
221+ return
244222 }
245223
246224 if apiKey .UserID == member .OrganizationMember .UserID {
@@ -287,6 +265,35 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
287265 httpapi .Write (ctx , rw , http .StatusOK , resp [0 ])
288266}
289267
268+ func (api * API ) allowChangingMemberRoles (rw http.ResponseWriter , ctx context.Context , member httpmw.OrganizationMember , organization database.Organization ) bool {
269+ // nolint:gocritic // The caller could be an org admin without this perm.
270+ // We need to disable manual role assignment if role sync is enabled for
271+ // the given organization.
272+ user , err := api .Database .GetUserByID (dbauthz .AsSystemRestricted (ctx ), member .UserID )
273+ if err != nil {
274+ httpapi .InternalServerError (rw , err )
275+ return false
276+ }
277+
278+ if user .LoginType == database .LoginTypeOIDC {
279+ // nolint:gocritic // fetching settings
280+ orgSync , err := api .IDPSync .OrganizationRoleSyncEnabled (dbauthz .AsSystemRestricted (ctx ), api .Database , organization .ID )
281+ if err != nil {
282+ httpapi .InternalServerError (rw , err )
283+ return false
284+ }
285+ if orgSync {
286+ httpapi .Write (ctx , rw , http .StatusBadRequest , codersdk.Response {
287+ Message : "Cannot modify roles for OIDC users when role sync is enabled. This organization member's roles are managed by the identity provider." ,
288+ Detail : "'User Role Field' is set in the organization settings. Ask an administrator to adjust or disable these settings." ,
289+ })
290+ return false
291+ }
292+ }
293+
294+ return true
295+ }
296+
290297// convertOrganizationMembers batches the role lookup to make only 1 sql call
291298// We
292299func convertOrganizationMembers (ctx context.Context , db database.Store , mems []database.OrganizationMember ) ([]codersdk.OrganizationMember , error ) {
0 commit comments