@@ -106,12 +106,24 @@ func (api *API) putWorkflowGroupHandler() service.Handler {
106106 return sdk .WrapError (sdk .ErrNotFound , "no permission found for group %q on workflow" , gp .Group .Name )
107107 }
108108
109- g , err := group .LoadByName (ctx , api .mustDB (), gp .Group .Name , group .LoadOptions .WithOrganization )
109+ g , err := group .LoadByName (ctx , api .mustDB (), gp .Group .Name , group .LoadOptions .WithOrganization , group . LoadOptions . WithMembers )
110110 if err != nil {
111111 return sdk .WrapError (err , "cannot load group with name %q" , gp .Group .Name )
112112 }
113113 gp .Group = * g
114114
115+ if ! isGroupAdmin (ctx , g ) && gp .Permission > oldGp .Permission {
116+ if isAdmin (ctx ) {
117+ trackSudo (ctx , w )
118+ } else {
119+ return sdk .WithStack (sdk .ErrInvalidGroupAdmin )
120+ }
121+ }
122+
123+ if group .IsDefaultGroupID (g .ID ) && gp .Permission > sdk .PermissionRead {
124+ return sdk .NewErrorFrom (sdk .ErrDefaultGroupPermission , "only read permission is allowed to default group" )
125+ }
126+
115127 tx , err := api .mustDB ().Begin ()
116128 if err != nil {
117129 return sdk .WrapError (err , "cannot start transaction" )
@@ -164,12 +176,24 @@ func (api *API) postWorkflowGroupHandler() service.Handler {
164176 }
165177 }
166178
167- g , err := group .LoadByName (ctx , api .mustDB (), gp .Group .Name , group .LoadOptions .WithOrganization )
179+ g , err := group .LoadByName (ctx , api .mustDB (), gp .Group .Name , group .LoadOptions .WithOrganization , group . LoadOptions . WithMembers )
168180 if err != nil {
169181 return sdk .WrapError (err , "cannot load group with name %q" , gp .Group .Name )
170182 }
171183 gp .Group = * g
172184
185+ if ! isGroupAdmin (ctx , g ) && gp .Permission > sdk .PermissionRead {
186+ if isAdmin (ctx ) {
187+ trackSudo (ctx , w )
188+ } else {
189+ return sdk .WithStack (sdk .ErrInvalidGroupAdmin )
190+ }
191+ }
192+
193+ if group .IsDefaultGroupID (g .ID ) && gp .Permission > sdk .PermissionRead {
194+ return sdk .NewErrorFrom (sdk .ErrDefaultGroupPermission , "only read permission is allowed to default group" )
195+ }
196+
173197 tx , err := api .mustDB ().Begin ()
174198 if err != nil {
175199 return sdk .WrapError (err , "cannot start transaction" )
0 commit comments