misc: added no access exemption

2026-01-10 16:08:20 -05:00 · 2025-03-27 13:26:30 +08:00
parent 956d0f6c5d
commit a1318d54b1
2 changed files with 38 additions and 35 deletions
--- a/backend/src/ee/services/group/group-service.ts
+++ b/backend/src/ee/services/group/group-service.ts
@@ -87,25 +87,26 @@ export const groupServiceFactory = ({
      actorOrgId
    );
    const isCustomRole = Boolean(customRole);
+    if (role !== OrgMembershipRole.NoAccess) {
+      const permissionBoundary = validatePrivilegeChangeOperation(
+        membership.shouldUseNewPrivilegeSystem,
+        OrgPermissionGroupActions.GrantPrivileges,
+        OrgPermissionSubjects.Groups,
+        permission,
+        rolePermission
+      );

-    const permissionBoundary = validatePrivilegeChangeOperation(
-      membership.shouldUseNewPrivilegeSystem,
-      OrgPermissionGroupActions.GrantPrivileges,
-      OrgPermissionSubjects.Groups,
-      permission,
-      rolePermission
-    );
-
-    if (!permissionBoundary.isValid)
-      throw new PermissionBoundaryError({
-        message: constructPermissionErrorMessage(
-          "Failed to create group",
-          membership.shouldUseNewPrivilegeSystem,
-          OrgPermissionGroupActions.GrantPrivileges,
-          OrgPermissionSubjects.Groups
-        ),
-        details: { missingPermissions: permissionBoundary.missingPermissions }
-      });
+      if (!permissionBoundary.isValid)
+        throw new PermissionBoundaryError({
+          message: constructPermissionErrorMessage(
+            "Failed to create group",
+            membership.shouldUseNewPrivilegeSystem,
+            OrgPermissionGroupActions.GrantPrivileges,
+            OrgPermissionSubjects.Groups
+          ),
+          details: { missingPermissions: permissionBoundary.missingPermissions }
+        });
+    }

    const group = await groupDAL.transaction(async (tx) => {
      const existingGroup = await groupDAL.findOne({ orgId: actorOrgId, name }, tx);
--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -945,24 +945,26 @@ export const orgServiceFactory = ({
            projectId
          );

-          const permissionBoundary = validatePrivilegeChangeOperation(
-            membership.shouldUseNewPrivilegeSystem,
-            ProjectPermissionMemberActions.GrantPrivileges,
-            ProjectPermissionSub.Member,
-            projectPermission,
-            rolePermission
-          );
+          if (invitedRole !== ProjectMembershipRole.NoAccess) {
+            const permissionBoundary = validatePrivilegeChangeOperation(
+              membership.shouldUseNewPrivilegeSystem,
+              ProjectPermissionMemberActions.GrantPrivileges,
+              ProjectPermissionSub.Member,
+              projectPermission,
+              rolePermission
+            );

-          if (!permissionBoundary.isValid)
-            throw new PermissionBoundaryError({
-              message: constructPermissionErrorMessage(
-                "Failed to invite user to the project",
-                membership.shouldUseNewPrivilegeSystem,
-                ProjectPermissionMemberActions.GrantPrivileges,
-                ProjectPermissionSub.Member
-              ),
-              details: { missingPermissions: permissionBoundary.missingPermissions }
-            });
+            if (!permissionBoundary.isValid)
+              throw new PermissionBoundaryError({
+                message: constructPermissionErrorMessage(
+                  "Failed to invite user to the project",
+                  membership.shouldUseNewPrivilegeSystem,
+                  ProjectPermissionMemberActions.GrantPrivileges,
+                  ProjectPermissionSub.Member
+                ),
+                details: { missingPermissions: permissionBoundary.missingPermissions }
+              });
+          }
        }

        const customProjectRoles = invitedProjectRoles.filter(