ui improvements

server/routers/external.ts

@@ -39,6 +39,7 @@ import {
     verifyApiKeyAccess,
     verifyDomainAccess,
     verifyUserHasAction,
+    verifyUserCanSetUserOrgRoles,
     verifyUserIsOrgOwner,
     verifySiteResourceAccess,
     verifyOlmAccess,
@@ -837,6 +838,16 @@ authenticated.post(
     user.updateOrgUser
 );
 
+authenticated.post(
+    "/org/:orgId/user/:userId/roles",
+    verifyOrgAccess,
+    verifyUserAccess,
+    verifyLimits,
+    verifyUserCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
+
 authenticated.get("/org/:orgId/user/:userId", verifyOrgAccess, user.getOrgUser);
 authenticated.get("/org/:orgId/user/:userId/check", org.checkOrgUserAccess);
 

server/routers/integration.ts

@@ -16,6 +16,7 @@ import {
     verifyApiKey,
     verifyApiKeyOrgAccess,
     verifyApiKeyHasAction,
+    verifyApiKeyCanSetUserOrgRoles,
     verifyApiKeySiteAccess,
     verifyApiKeyResourceAccess,
     verifyApiKeyTargetAccess,
@@ -814,6 +815,16 @@ authenticated.post(
     user.updateOrgUser
 );
 
+authenticated.post(
+    "/org/:orgId/user/:userId/roles",
+    verifyApiKeyOrgAccess,
+    verifyApiKeyUserAccess,
+    verifyLimits,
+    verifyApiKeyCanSetUserOrgRoles(),
+    logActionAudit(ActionsEnum.setUserOrgRoles),
+    user.setUserOrgRoles
+);
+
 authenticated.delete(
     "/org/:orgId/user/:userId",
     verifyApiKeyOrgAccess,

server/routers/user/index.ts

@@ -3,6 +3,7 @@ export * from "./removeUserOrg";
 export * from "./listUsers";
 export * from "./addUserRole";
 export * from "./removeUserRole";
+export * from "./setUserOrgRoles";
 export * from "./inviteUser";
 export * from "./acceptInvite";
 export * from "./getOrgUser";

server/routers/user/listUsers.ts

@@ -5,11 +5,10 @@ import { idp, roles, userOrgRoles, userOrgs, users } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import createHttpError from "http-errors";
-import { sql } from "drizzle-orm";
+import { and, eq, inArray, sql } from "drizzle-orm";
 import logger from "@server/logger";
 import { fromZodError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { eq } from "drizzle-orm";
 
 const listUsersParamsSchema = z.strictObject({
     orgId: z.string()
@@ -56,15 +55,24 @@ async function queryUsers(orgId: string, limit: number, offset: number) {
         .limit(limit)
         .offset(offset);
 
-    const roleRows = await db
-        .select({
-            userId: userOrgRoles.userId,
-            roleId: userOrgRoles.roleId,
-            roleName: roles.name
-        })
-        .from(userOrgRoles)
-        .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
-        .where(eq(userOrgRoles.orgId, orgId));
+    const userIds = rows.map((r) => r.id);
+    const roleRows =
+        userIds.length === 0
+            ? []
+            : await db
+                  .select({
+                      userId: userOrgRoles.userId,
+                      roleId: userOrgRoles.roleId,
+                      roleName: roles.name
+                  })
+                  .from(userOrgRoles)
+                  .leftJoin(roles, eq(userOrgRoles.roleId, roles.roleId))
+                  .where(
+                      and(
+                          eq(userOrgRoles.orgId, orgId),
+                          inArray(userOrgRoles.userId, userIds)
+                      )
+                  );
 
     const rolesByUser = new Map<
         string,

server/routers/user/setUserOrgRoles.ts

@@ -0,0 +1,151 @@
+import { Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import { clients, db } from "@server/db";
+import { userOrgRoles, userOrgs, roles } from "@server/db";
+import { eq, and, inArray } from "drizzle-orm";
+import response from "@server/lib/response";
+import HttpCode from "@server/types/HttpCode";
+import createHttpError from "http-errors";
+import logger from "@server/logger";
+import { fromError } from "zod-validation-error";
+import { OpenAPITags, registry } from "@server/openApi";
+import { rebuildClientAssociationsFromClient } from "@server/lib/rebuildClientAssociations";
+
+const setUserOrgRolesParamsSchema = z.strictObject({
+    orgId: z.string(),
+    userId: z.string()
+});
+
+const setUserOrgRolesBodySchema = z.strictObject({
+    roleIds: z.array(z.int().positive()).min(1)
+});
+
+export async function setUserOrgRoles(
+    req: Request,
+    res: Response,
+    next: NextFunction
+): Promise<any> {
+    try {
+        const parsedParams = setUserOrgRolesParamsSchema.safeParse(req.params);
+        if (!parsedParams.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedParams.error).toString()
+                )
+            );
+        }
+
+        const parsedBody = setUserOrgRolesBodySchema.safeParse(req.body);
+        if (!parsedBody.success) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    fromError(parsedBody.error).toString()
+                )
+            );
+        }
+
+        const { orgId, userId } = parsedParams.data;
+        const { roleIds } = parsedBody.data;
+
+        if (req.user && !req.userOrg) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "You do not have access to this organization"
+                )
+            );
+        }
+
+        const uniqueRoleIds = [...new Set(roleIds)];
+
+        const [existingUser] = await db
+            .select()
+            .from(userOrgs)
+            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+            .limit(1);
+
+        if (!existingUser) {
+            return next(
+                createHttpError(
+                    HttpCode.NOT_FOUND,
+                    "User not found in this organization"
+                )
+            );
+        }
+
+        if (existingUser.isOwner) {
+            return next(
+                createHttpError(
+                    HttpCode.FORBIDDEN,
+                    "Cannot change the roles of the owner of the organization"
+                )
+            );
+        }
+
+        const orgRoles = await db
+            .select({ roleId: roles.roleId })
+            .from(roles)
+            .where(
+                and(
+                    eq(roles.orgId, orgId),
+                    inArray(roles.roleId, uniqueRoleIds)
+                )
+            );
+
+        if (orgRoles.length !== uniqueRoleIds.length) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "One or more role IDs are invalid for this organization"
+                )
+            );
+        }
+
+        await db.transaction(async (trx) => {
+            await trx
+                .delete(userOrgRoles)
+                .where(
+                    and(
+                        eq(userOrgRoles.userId, userId),
+                        eq(userOrgRoles.orgId, orgId)
+                    )
+                );
+
+            if (uniqueRoleIds.length > 0) {
+                await trx.insert(userOrgRoles).values(
+                    uniqueRoleIds.map((roleId) => ({
+                        userId,
+                        orgId,
+                        roleId
+                    }))
+                );
+            }
+
+            const orgClients = await trx
+                .select()
+                .from(clients)
+                .where(
+                    and(eq(clients.userId, userId), eq(clients.orgId, orgId))
+                );
+
+            for (const orgClient of orgClients) {
+                await rebuildClientAssociationsFromClient(orgClient, trx);
+            }
+        });
+
+        return response(res, {
+            data: { userId, orgId, roleIds: uniqueRoleIds },
+            success: true,
+            error: false,
+            message: "User roles set successfully",
+            status: HttpCode.OK
+        });
+    } catch (error) {
+        logger.error(error);
+        return next(
+            createHttpError(HttpCode.INTERNAL_SERVER_ERROR, "An error occurred")
+        );
+    }
+}