Skip to content

Show project membership inheriting from org roles #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
michaelglenister merged 1 commit into from
Dec 9, 2025
Merged

Show project membership inheriting from org roles #205

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 25 additions & 4 deletions app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1437,6 +1437,7 @@ def get(self, project_id):
ORDER BY name
""", (project_id, organisation_id))
else:
# Add a check that org-partial cannot see private org projects that they are not assigned to
user_projects = keycloak_auth.get_user_projects()
cursor.execute("""
SELECT *
Expand Down Expand Up @@ -1634,9 +1635,9 @@ def post(self, project_id):

@project_ns.route('/<string:project_id>/users')
class ProjectUsers(Resource):

### GET /projects/<project_id>/users ###

@api.doc('list_project_users')
@require_auth(keycloak_auth)
@require_permission('view_project_users', resource_type='project', resource_id_arg='project_id')
Expand All @@ -1645,23 +1646,43 @@ def get(self, project_id):
"""List users associated with a project"""

try:
organisation_id = keycloak_auth.get_user_org()
org_users = keycloak_auth.get_users_by_attribute('organisation_id', organisation_id)
org_admins = []
org_contributors = []
org_viewers = []
org_owners = []

for user in org_users:
user_roles = keycloak_auth.get_realm_roles(user['user_id'])
if user_roles[0] == 'agari-org-admin':
org_admins.append(user)
elif user_roles[0] == 'agari-org-contributor':
org_contributors.append(user)
elif user_roles[0] == 'agari-org-viewer':
org_viewers.append(user)
elif user_roles[0] == 'agari-org-owner':
org_owners.append(user)

# Get all users with any project role
all_project_admins = keycloak_auth.get_users_by_attribute('project-admin', project_id)
all_project_contributors = keycloak_auth.get_users_by_attribute('project-contributor', project_id)
all_project_viewers = keycloak_auth.get_users_by_attribute('project-viewer', project_id)

all_project_admins.extend(org_admins)
all_project_contributors.extend(org_contributors)
all_project_viewers.extend(org_viewers)

# Create sets of user IDs for each role
admin_user_ids = {user['user_id'] for user in all_project_admins}
contributor_user_ids = {user['user_id'] for user in all_project_contributors}
viewer_user_ids = {user['user_id'] for user in all_project_viewers}

# Apply role hierarchy: admin > contributor > viewer
# Remove lower privilege roles if user has higher privilege

# If user is admin, remove them from contributor and viewer lists
contributor_user_ids = contributor_user_ids - admin_user_ids
viewer_user_ids = viewer_user_ids - admin_user_ids

# If user is contributor (but not admin), remove them from viewer list
viewer_user_ids = viewer_user_ids - contributor_user_ids

Expand Down