feat(projects): When adding members check all memberships

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Author: javirln

app/controlplane/pkg/biz/orginvitation.go

@@ -411,8 +411,8 @@ func (uc *OrgInvitationUseCase) processProjectMembership(ctx context.Context, in
 		role = authz.RoleProjectViewer
 	}
 
-	// Check if the user is already a member of the project
-	existingMembership, err := uc.projectRepo.FindProjectMembershipByProjectAndID(ctx, orgUUID, *projectID, userUUID, authz.MembershipTypeUser)
+	// Check if the user already has membership in the project (consider inherited memberships)
+	existingMembership, err := uc.projectRepo.FindProjectMembershipEffective(ctx, orgUUID, *projectID, userUUID, authz.MembershipTypeUser)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("error checking project membership for user %s: %w", userUUID, err)
 	}

app/controlplane/pkg/biz/project.go

@@ -43,8 +43,12 @@ type ProjectsRepo interface {
 	RemoveMemberFromProject(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) error
 	// UpdateMemberRoleInProject updates the role of a user or group in a project.
 	UpdateMemberRoleInProject(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType, newRole authz.Role) (*ProjectMembership, error)
-	// FindProjectMembershipByProjectAndID finds a project membership by project ID and member ID (user or group).
-	FindProjectMembershipByProjectAndID(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*ProjectMembership, error)
+	// FindProjectMembershipDirect finds a project membership by project ID and member ID (user or group).
+	// It only considers direct memberships (non-inherited).
+	FindProjectMembershipDirect(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*ProjectMembership, error)
+	// FindProjectMembershipEffective finds a project membership by project ID and member ID (user or group).
+	// considering inherited (effective) memberships as well.
+	FindProjectMembershipEffective(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*ProjectMembership, error)
 	// ListPendingInvitationsByProject retrieves a list of pending invitations for a project.
 	ListPendingInvitationsByProject(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, paginationOpts *pagination.OffsetPaginationOpts) ([]*OrgInvitation, int, error)
 }
@@ -342,8 +346,8 @@ func (uc *ProjectUseCase) addUserToProject(ctx context.Context, orgID uuid.UUID,
 
 	userUUID := uuid.MustParse(userMembership.User.ID)
 
-	// Check if the user is already a member of the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
+	// Check if the user is already a member of the project (consider inherited memberships)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipEffective(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
 	if err != nil && !IsNotFound(err) {
 		return nil, fmt.Errorf("failed to check existing membership: %w", err)
 	}
@@ -428,8 +432,8 @@ func (uc *ProjectUseCase) addGroupToProject(ctx context.Context, orgID uuid.UUID
 		return nil, fmt.Errorf("failed to validate group reference: %w", err)
 	}
 
-	// Check if the group already has membership in the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
+	// Check if the group already has membership in the project (consider inherited memberships)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipEffective(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
 	if err != nil && !IsNotFound(err) {
 		return nil, fmt.Errorf("failed to check existing group membership: %w", err)
 	}
@@ -513,7 +517,7 @@ func (uc *ProjectUseCase) removeUserFromProject(ctx context.Context, orgID uuid.
 	userUUID := uuid.MustParse(userMembership.User.ID)
 
 	// Check if the user is a member of the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipDirect(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing membership: %w", err)
 	}
@@ -548,7 +552,7 @@ func (uc *ProjectUseCase) removeGroupFromProject(ctx context.Context, orgID uuid
 	}
 
 	// Check if the group has membership in the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipDirect(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing group membership: %w", err)
 	}
@@ -749,7 +753,7 @@ func (uc *ProjectUseCase) updateUserRoleInProject(ctx context.Context, orgID uui
 	userUUID := uuid.MustParse(userMembership.User.ID)
 
 	// Check if the user is a member of the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipDirect(ctx, orgID, projectID, userUUID, authz.MembershipTypeUser)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing membership: %w", err)
 	}
@@ -791,7 +795,7 @@ func (uc *ProjectUseCase) updateGroupRoleInProject(ctx context.Context, orgID uu
 	}
 
 	// Check if the group has membership in the project
-	existingMembership, err := uc.projectsRepository.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
+	existingMembership, err := uc.projectsRepository.FindProjectMembershipDirect(ctx, orgID, projectID, resolvedGroupID, authz.MembershipTypeGroup)
 	if err != nil && !IsNotFound(err) {
 		return fmt.Errorf("failed to check existing group membership: %w", err)
 	}

app/controlplane/pkg/data/project.go

@@ -214,7 +214,7 @@ func (r *ProjectRepo) AddMemberToProject(ctx context.Context, orgID uuid.UUID, p
 	}
 
 	// Return the created membership
-	return r.FindProjectMembershipByProjectAndID(ctx, orgID, projectID, memberID, membershipType)
+	return r.FindProjectMembershipDirect(ctx, orgID, projectID, memberID, membershipType)
 }
 
 // RemoveMemberFromProject removes a user or group from a project
@@ -229,7 +229,7 @@ func (r *ProjectRepo) RemoveMemberFromProject(ctx context.Context, orgID uuid.UU
 	}
 
 	// Find the membership to delete
-	m, err := r.queryMembership(orgID, projectID, memberID, membershipType).Only(ctx)
+	m, err := r.buildDirectMembershipQuery(orgID, projectID, memberID, membershipType).Only(ctx)
 
 	if err != nil {
 		if ent.IsNotFound(err) {
@@ -246,10 +246,10 @@ func (r *ProjectRepo) RemoveMemberFromProject(ctx context.Context, orgID uuid.UU
 	return nil
 }
 
-// FindProjectMembershipByProjectAndID finds a project membership by project ID and member ID (user or group)
-func (r *ProjectRepo) FindProjectMembershipByProjectAndID(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*biz.ProjectMembership, error) {
-	// Find the membership
-	m, err := r.queryMembership(orgID, projectID, memberID, membershipType).Only(ctx)
+// FindProjectMembershipDirect finds a project membership by project ID and member ID (user or group)
+func (r *ProjectRepo) FindProjectMembershipDirect(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*biz.ProjectMembership, error) {
+	// Find the membership (direct only)
+	m, err := r.buildDirectMembershipQuery(orgID, projectID, memberID, membershipType).Only(ctx)
 
 	if err != nil {
 		if ent.IsNotFound(err) {
@@ -258,38 +258,29 @@ func (r *ProjectRepo) FindProjectMembershipByProjectAndID(ctx context.Context, o
 		return nil, fmt.Errorf("failed to find membership: %w", err)
 	}
 
-	// Build the membership response based on the membership type
-	projectMembership := &biz.ProjectMembership{
-		MembershipType: m.MembershipType,
-		Role:           m.Role,
-		CreatedAt:      &m.CreatedAt,
-		UpdatedAt:      &m.UpdatedAt,
-	}
-
+	// Use centralized converter and fetch associated user/group when needed
 	switch membershipType {
 	case authz.MembershipTypeUser:
-		// Fetch the user details for user memberships
 		u, err := r.data.DB.User.Get(ctx, memberID)
 		if err != nil {
 			if ent.IsNotFound(err) {
 				return nil, biz.NewErrNotFound("user")
 			}
 			return nil, fmt.Errorf("failed to find user: %w", err)
 		}
-		projectMembership.User = entUserToBizUser(u)
+		return entProjectMembershipToBiz(m, u, nil), nil
 	case authz.MembershipTypeGroup:
-		// Fetch the group details for group memberships
 		g, err := r.data.DB.Group.Query().Where(group.ID(memberID), group.DeletedAtIsNil()).Only(ctx)
 		if err != nil {
 			if ent.IsNotFound(err) {
 				return nil, biz.NewErrNotFound("group")
 			}
 			return nil, fmt.Errorf("failed to find group: %w", err)
 		}
-		projectMembership.Group = entGroupToBiz(g)
+		return entProjectMembershipToBiz(m, nil, g), nil
+	default:
+		return entProjectMembershipToBiz(m, nil, nil), nil
 	}
-
-	return projectMembership, nil
 }
 
 // UpdateMemberRoleInProject updates the role of a member in a project
@@ -308,7 +299,7 @@ func (r *ProjectRepo) UpdateMemberRoleInProject(ctx context.Context, orgID uuid.
 	}
 
 	// Find the membership to update
-	m, err := r.queryMembership(orgID, projectID, memberID, membershipType).Only(ctx)
+	m, err := r.buildDirectMembershipQuery(orgID, projectID, memberID, membershipType).Only(ctx)
 
 	if err != nil {
 		if ent.IsNotFound(err) {
@@ -326,8 +317,24 @@ func (r *ProjectRepo) UpdateMemberRoleInProject(ctx context.Context, orgID uuid.
 	return entProjectMembershipToBiz(m, nil, nil), nil
 }
 
-// queryMembership is a helper function to build a common membership query
-func (r *ProjectRepo) queryMembership(orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) *ent.MembershipQuery {
+// buildDirectMembershipQuery constructs a query that only considers direct memberships
+func (r *ProjectRepo) buildDirectMembershipQuery(orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) *ent.MembershipQuery {
+	return r.data.DB.Membership.Query().
+		Where(
+			membership.HasOrganizationWith(
+				organization.ID(orgID),
+			),
+			membership.MembershipTypeEQ(membershipType),
+			membership.MemberID(memberID),
+			membership.ResourceTypeEQ(authz.ResourceTypeProject),
+			membership.ResourceID(projectID),
+			// only direct memberships (parent is nil)
+			membership.ParentIDIsNil(),
+		).WithOrganization()
+}
+
+// buildEffectiveMembershipQuery constructs a query that considers direct and inherited memberships
+func (r *ProjectRepo) buildEffectiveMembershipQuery(orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) *ent.MembershipQuery {
 	return r.data.DB.Membership.Query().
 		Where(
 			membership.HasOrganizationWith(
@@ -337,10 +344,51 @@ func (r *ProjectRepo) queryMembership(orgID uuid.UUID, projectID uuid.UUID, memb
 			membership.MemberID(memberID),
 			membership.ResourceTypeEQ(authz.ResourceTypeProject),
 			membership.ResourceID(projectID),
-			membership.ParentIDIsNil(), // Only top-level memberships
+			// include both direct (parent nil) and indirect (parent not nil) memberships
+			membership.Or(
+				membership.ParentIDIsNil(),
+				membership.ParentIDNotNil(),
+			),
 		).WithOrganization()
 }
 
+// FindProjectMembershipEffective finds a project membership considering both direct and inherited
+// memberships for the member on the project.
+func (r *ProjectRepo) FindProjectMembershipEffective(ctx context.Context, orgID uuid.UUID, projectID uuid.UUID, memberID uuid.UUID, membershipType authz.MembershipType) (*biz.ProjectMembership, error) {
+	m, err := r.buildEffectiveMembershipQuery(orgID, projectID, memberID, membershipType).Only(ctx)
+
+	if err != nil {
+		if ent.IsNotFound(err) {
+			return nil, nil // Return nil when no membership found
+		}
+		return nil, fmt.Errorf("failed to find membership: %w", err)
+	}
+
+	// Use centralized converter and fetch associated user/group when needed
+	switch membershipType {
+	case authz.MembershipTypeUser:
+		u, err := r.data.DB.User.Get(ctx, memberID)
+		if err != nil {
+			if ent.IsNotFound(err) {
+				return nil, biz.NewErrNotFound("user")
+			}
+			return nil, fmt.Errorf("failed to find user: %w", err)
+		}
+		return entProjectMembershipToBiz(m, u, nil), nil
+	case authz.MembershipTypeGroup:
+		g, err := r.data.DB.Group.Query().Where(group.ID(memberID), group.DeletedAtIsNil()).Only(ctx)
+		if err != nil {
+			if ent.IsNotFound(err) {
+				return nil, biz.NewErrNotFound("group")
+			}
+			return nil, fmt.Errorf("failed to find group: %w", err)
+		}
+		return entProjectMembershipToBiz(m, nil, g), nil
+	default:
+		return entProjectMembershipToBiz(m, nil, nil), nil
+	}
+}
+
 // entProjectToBiz converts an ent.Project to a biz.Project
 func entProjectToBiz(pro *ent.Project) *biz.Project {
 	return &biz.Project{