fix

Author: easyCZ

components/openfga/scripts.hack

@@ -151,3 +151,13 @@ curl -X POST "openfga:8080/stores/01GP4CRKXESH1JE5E0SNHMZYG1/authorization-model
   ],
   "schema_version": "1.1"
 }'
+
+curl -X POST "openfga:8080/stores/01GP4CRKXESH1JE5E0SNHMZYG1/check" \
+  -H "content-type: application/json" \
+  -d '{"tuple_key":{"user":"user:milan","relation":"maintainer","object":"project:project1"}}'
+
+# Response: {"allowed":true}
+b23f24d7-47f7-4366-a642-ce46b61b499e
+
+curl -X GET "localhost:8080/stores/01GP4CRKXESH1JE5E0SNHMZYG1/changes" \
+  -H "content-type: application/json"

components/server/src/perms.ts

@@ -4,6 +4,7 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
+import { del } from "@gitbeaker/core/dist/types/infrastructure";
 import { ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
 import { OpenFgaApi, TupleKey } from "@openfga/sdk";
 import { ResponseError } from "vscode-jsonrpc";
@@ -30,42 +31,59 @@ function proj(id: string): string {
     return `project:${id}`;
 }
 
+export async function isTeamOwner(userID: string, teamID: string): Promise<boolean> {
+    return (
+        (
+            await OpenFGA.check({
+                tuple_key: tup(user(userID), "owner", team(teamID)),
+            })
+        ).allowed || false
+    );
+}
+
+export async function isTeamMember(userID: string, teamID: string): Promise<boolean> {
+    return (
+        (
+            await OpenFGA.check({
+                tuple_key: tup(user(userID), "member", team(teamID)),
+            })
+        ).allowed || false
+    );
+}
+
 export async function grantTeamOwner(userID: string, teamID: string) {
-    await OpenFGA.write({
+    const deletes: TupleKey[] = [];
+
+    const isMember = await isTeamMember(userID, teamID);
+    if (isMember) {
+        deletes.push(tup(user(userID), "member", team(teamID)));
+    }
+
+    return await OpenFGA.write({
         writes: {
             tuple_keys: [tup(user(userID), "owner", team(teamID))],
         },
+        deletes: {
+            tuple_keys: deletes,
+        },
     });
-
-    try {
-        // also remove any existing member role, if it existed
-        await OpenFGA.write({
-            deletes: {
-                tuple_keys: [tup(user(userID), "member", team(teamID))],
-            },
-        });
-    } catch (e) {
-        // if the member role did not exist, the delete we fail, but we do not need to do anything as we have the desired outcome.
-    }
 }
 
 export async function grantTeamMember(userID: string, teamID: string) {
+    const deletes: TupleKey[] = [];
+
+    const isMember = await isTeamOwner(userID, teamID);
+    if (isMember) {
+        deletes.push(tup(user(userID), "owner", team(teamID)));
+    }
     await OpenFGA.write({
         writes: {
             tuple_keys: [tup(user(userID), "member", team(teamID))],
         },
+        deletes: {
+            tuple_keys: deletes,
+        },
     });
-
-    try {
-        // also remove any existing owner role
-        await OpenFGA.write({
-            deletes: {
-                tuple_keys: [tup(user(userID), "owner", team(teamID))],
-            },
-        });
-    } catch (e) {
-        // if the owner role did not exist, the delete we fail, but we do not need to do anything as we have the desired outcome.
-    }
 }
 
 export async function removeUserFromTeam(userID: string, teamID: string) {