feat: enable removal and update of role from a user in an organization

Author: raghavyuva

api/api/versions.json

@@ -3,7 +3,7 @@
     {
       "version": "v1",
       "status": "active",
-      "release_date": "2025-10-04T20:22:44.016248162+05:30",
+      "release_date": "2025-10-04T21:33:19.645770465+05:30",
       "end_of_life": "0001-01-01T00:00:00Z",
       "changes": [
         "Initial API version"

api/doc/openapi.json

@@ -1,69 +1,52 @@
 package controller
 
-// import (
-// 	"net/http"
-
-// 	"github.com/go-fuego/fuego"
-// 	"github.com/raghavyuva/nixopus-api/internal/features/notification"
-// 	"github.com/raghavyuva/nixopus-api/internal/features/organization/types"
-// 	shared_types "github.com/raghavyuva/nixopus-api/internal/types"
-// 	"github.com/raghavyuva/nixopus-api/internal/utils"
-// )
-
-// func (c *OrganizationsController) RemoveUserFromOrganization(f fuego.ContextWithBody[types.RemoveUserFromOrganizationRequest]) (*shared_types.Response, error) {
-// 	_, r := f.Response(), f.Request()
-// 	user, err := f.Body()
-// 	if err != nil {
-// 		return nil, fuego.HTTPError{
-// 			Err:    err,
-// 			Status: http.StatusBadRequest,
-// 		}
-// 	}
-
-// 	loggedInUser := utils.GetUser(f.Response(), r)
-// 	if loggedInUser == nil {
-// 		return nil, fuego.HTTPError{
-// 			Err:    nil,
-// 			Status: http.StatusUnauthorized,
-// 		}
-// 	}
-
-// 	if err := c.service.RemoveUserFromOrganization(&user); err != nil {
-// 		return nil, fuego.HTTPError{
-// 			Err:    err,
-// 			Status: http.StatusInternalServerError,
-// 		}
-// 	}
-
-// 	org, err := c.service.GetOrganization(user.OrganizationID)
-// 	if err != nil {
-// 		return nil, fuego.HTTPError{
-// 			Err:    err,
-// 			Status: http.StatusInternalServerError,
-// 		}
-// 	}
-
-// 	userDetails := utils.GetUser(f.Response(), r)
-// 	if userDetails == nil {
-// 		return nil, fuego.HTTPError{
-// 			Err:    nil,
-// 			Status: http.StatusUnauthorized,
-// 		}
-// 	}
-
-// 	c.Notify(notification.NotificationPayloadTypeRemoveUserFromOrganization, loggedInUser, r, notification.RemoveUserFromOrganizationData{
-// 		NotificationBaseData: notification.NotificationBaseData{
-// 			IP:      r.RemoteAddr,
-// 			Browser: r.UserAgent(),
-// 		},
-// 		OrganizationName: org.Name,
-// 		UserName:         userDetails.Username,
-// 		UserEmail:        userDetails.Email,
-// 	})
-
-// 	return &shared_types.Response{
-// 		Status:  "success",
-// 		Message: "User removed from organization successfully",
-// 		Data:    nil,
-// 	}, nil
-// }
+import (
+	"net/http"
+
+	"github.com/go-fuego/fuego"
+	"github.com/raghavyuva/nixopus-api/internal/features/logger"
+	"github.com/raghavyuva/nixopus-api/internal/features/organization/types"
+	shared_types "github.com/raghavyuva/nixopus-api/internal/types"
+	"github.com/raghavyuva/nixopus-api/internal/utils"
+)
+
+// TODO: Here we need to make sure when a user is removed from an organization, if no organization is left for the user, we should remove the user from the system.
+func (c *OrganizationsController) RemoveUserFromOrganization(f fuego.ContextWithBody[types.RemoveUserFromOrganizationRequest]) (*shared_types.Response, error) {
+	_, r := f.Response(), f.Request()
+	user, err := f.Body()
+	if err != nil {
+		return nil, fuego.HTTPError{
+			Err:    err,
+			Status: http.StatusBadRequest,
+		}
+	}
+
+	loggedInUser := utils.GetUser(f.Response(), r)
+	if loggedInUser == nil {
+		return nil, fuego.HTTPError{
+			Err:    nil,
+			Status: http.StatusUnauthorized,
+		}
+	}
+
+	if err := c.validator.ValidateRequest(&user); err != nil {
+		c.logger.Log(logger.Error, err.Error(), "")
+		return nil, fuego.HTTPError{
+			Err:    err,
+			Status: http.StatusBadRequest,
+		}
+	}
+
+	if err := c.service.RemoveUserFromOrganization(&user); err != nil {
+		return nil, fuego.HTTPError{
+			Err:    err,
+			Status: http.StatusInternalServerError,
+		}
+	}
+
+	return &shared_types.Response{
+		Status:  "success",
+		Message: "User removed from organization successfully",
+		Data:    nil,
+	}, nil
+}

api/internal/features/organization/controller/remove_organization_user.go

@@ -0,0 +1,51 @@
+package controller
+
+import (
+	"net/http"
+
+	"github.com/go-fuego/fuego"
+	"github.com/raghavyuva/nixopus-api/internal/features/logger"
+	"github.com/raghavyuva/nixopus-api/internal/features/organization/types"
+	shared_types "github.com/raghavyuva/nixopus-api/internal/types"
+	"github.com/raghavyuva/nixopus-api/internal/utils"
+)
+
+func (c *OrganizationsController) UpdateUserRole(f fuego.ContextWithBody[types.UpdateUserRoleRequest]) (*shared_types.Response, error) {
+	_, r := f.Response(), f.Request()
+	request, err := f.Body()
+	if err != nil {
+		return nil, fuego.HTTPError{
+			Err:    err,
+			Status: http.StatusBadRequest,
+		}
+	}
+
+	loggedInUser := utils.GetUser(f.Response(), r)
+	if loggedInUser == nil {
+		return nil, fuego.HTTPError{
+			Err:    nil,
+			Status: http.StatusUnauthorized,
+		}
+	}
+
+	if err := c.validator.ValidateRequest(&request); err != nil {
+		c.logger.Log(logger.Error, err.Error(), "")
+		return nil, fuego.HTTPError{
+			Err:    err,
+			Status: http.StatusBadRequest,
+		}
+	}
+
+	if err := c.service.UpdateUserRole(&request); err != nil {
+		return nil, fuego.HTTPError{
+			Err:    err,
+			Status: http.StatusInternalServerError,
+		}
+	}
+
+	return &shared_types.Response{
+		Status:  "success",
+		Message: "User role updated successfully",
+		Data:    nil,
+	}, nil
+}

api/internal/features/organization/controller/update_user_role.go

@@ -0,0 +1,61 @@
+package service
+
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/raghavyuva/nixopus-api/internal/features/logger"
+	"github.com/raghavyuva/nixopus-api/internal/features/organization/types"
+	"github.com/supertokens/supertokens-golang/recipe/userroles"
+)
+
+func (o *OrganizationService) RemoveUserFromOrganization(request *types.RemoveUserFromOrganizationRequest) error {
+	o.logger.Log(logger.Info, "removing user from organization", request.UserID)
+
+	existingOrganization, err := o.storage.GetOrganization(request.OrganizationID)
+	if err != nil || existingOrganization.ID == uuid.Nil {
+		o.logger.Log(logger.Error, types.ErrOrganizationDoesNotExist.Error(), "")
+		return types.ErrOrganizationDoesNotExist
+	}
+
+	existingUser, err := o.user_storage.FindUserByID(request.UserID)
+	if err != nil || existingUser.ID == uuid.Nil {
+		o.logger.Log(logger.Error, types.ErrUserDoesNotExist.Error(), "")
+		return types.ErrUserDoesNotExist
+	}
+
+	existingUserInOrganization, err := o.storage.FindUserInOrganization(request.UserID, request.OrganizationID)
+	if err != nil || existingUserInOrganization.ID == uuid.Nil {
+		o.logger.Log(logger.Error, types.ErrUserNotInOrganization.Error(), "")
+		return types.ErrUserNotInOrganization
+	}
+
+	if err := o.storage.RemoveUserFromOrganization(request.UserID, request.OrganizationID); err != nil {
+		o.logger.Log(logger.Error, types.ErrFailedToRemoveUserFromOrganization.Error(), err.Error())
+		return types.ErrFailedToRemoveUserFromOrganization
+	}
+
+	if existingUser.SupertokensUserID != "" {
+		roleName := fmt.Sprintf("orgid_%s_admin", request.OrganizationID)
+		if _, err := userroles.RemoveUserRole("public", existingUser.SupertokensUserID, roleName, nil); err != nil {
+			o.logger.Log(logger.Warning, "failed to remove SuperTokens role", err.Error())
+		}
+
+		roleName = fmt.Sprintf("orgid_%s_member", request.OrganizationID)
+		if _, err := userroles.RemoveUserRole("public", existingUser.SupertokensUserID, roleName, nil); err != nil {
+			o.logger.Log(logger.Warning, "failed to remove SuperTokens role", err.Error())
+		}
+
+		roleName = fmt.Sprintf("orgid_%s_viewer", request.OrganizationID)
+		if _, err := userroles.RemoveUserRole("public", existingUser.SupertokensUserID, roleName, nil); err != nil {
+			o.logger.Log(logger.Warning, "failed to remove SuperTokens role", err.Error())
+		}
+	}
+
+	if err := o.cache.InvalidateOrgMembership(o.Ctx, request.UserID, request.OrganizationID); err != nil {
+		o.logger.Log(logger.Error, "failed to invalidate organization membership cache", err.Error())
+	}
+
+	o.logger.Log(logger.Info, "user removed from organization successfully", request.UserID)
+	return nil
+}

api/internal/features/organization/service/remove_user_from_organization.go

@@ -0,0 +1,80 @@
+package service
+
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/raghavyuva/nixopus-api/internal/features/logger"
+	"github.com/raghavyuva/nixopus-api/internal/features/organization/types"
+	"github.com/raghavyuva/nixopus-api/internal/features/supertokens"
+	"github.com/supertokens/supertokens-golang/recipe/userroles"
+)
+
+func (o *OrganizationService) UpdateUserRole(request *types.UpdateUserRoleRequest) error {
+	o.logger.Log(logger.Info, "updating user role", request.UserID)
+
+	existingOrganization, err := o.storage.GetOrganization(request.OrganizationID)
+	if err != nil || existingOrganization.ID == uuid.Nil {
+		o.logger.Log(logger.Error, types.ErrOrganizationDoesNotExist.Error(), "")
+		return types.ErrOrganizationDoesNotExist
+	}
+
+	existingUser, err := o.user_storage.FindUserByID(request.UserID)
+	if err != nil || existingUser.ID == uuid.Nil {
+		o.logger.Log(logger.Error, types.ErrUserDoesNotExist.Error(), "")
+		return types.ErrUserDoesNotExist
+	}
+
+	existingUserInOrganization, err := o.storage.FindUserInOrganization(request.UserID, request.OrganizationID)
+	if err != nil || existingUserInOrganization.ID == uuid.Nil {
+		o.logger.Log(logger.Error, types.ErrUserNotInOrganization.Error(), "")
+		return types.ErrUserNotInOrganization
+	}
+
+	if existingUser.SupertokensUserID != "" {
+		oldRoleName := fmt.Sprintf("orgid_%s_admin", request.OrganizationID)
+		if _, err := userroles.RemoveUserRole("public", existingUser.SupertokensUserID, oldRoleName, nil); err != nil {
+			o.logger.Log(logger.Warning, "failed to remove old SuperTokens role", err.Error())
+		}
+
+		oldRoleName = fmt.Sprintf("orgid_%s_member", request.OrganizationID)
+		if _, err := userroles.RemoveUserRole("public", existingUser.SupertokensUserID, oldRoleName, nil); err != nil {
+			o.logger.Log(logger.Warning, "failed to remove old SuperTokens role", err.Error())
+		}
+
+		oldRoleName = fmt.Sprintf("orgid_%s_viewer", request.OrganizationID)
+		if _, err := userroles.RemoveUserRole("public", existingUser.SupertokensUserID, oldRoleName, nil); err != nil {
+			o.logger.Log(logger.Warning, "failed to remove old SuperTokens role", err.Error())
+		}
+
+		newRoleName := fmt.Sprintf("orgid_%s_%s", request.OrganizationID, request.Role)
+		var permissions []string
+		switch request.Role {
+		case "admin":
+			permissions = supertokens.GetAdminPermissions()
+		case "member":
+			permissions = supertokens.GetMemberPermissions()
+		case "viewer":
+			permissions = supertokens.GetViewerPermissions()
+		default:
+			permissions = supertokens.GetViewerPermissions()
+		}
+
+		if _, err := userroles.CreateNewRoleOrAddPermissions(newRoleName, permissions, nil); err != nil {
+			o.logger.Log(logger.Error, "failed to create SuperTokens role", err.Error())
+			return types.ErrFailedToUpdateUserRole
+		}
+
+		if _, err := userroles.AddRoleToUser("public", existingUser.SupertokensUserID, newRoleName, nil); err != nil {
+			o.logger.Log(logger.Error, "failed to assign SuperTokens role", err.Error())
+			return types.ErrFailedToUpdateUserRole
+		}
+	}
+
+	if err := o.cache.InvalidateOrgMembership(o.Ctx, request.UserID, request.OrganizationID); err != nil {
+		o.logger.Log(logger.Error, "failed to invalidate organization membership cache", err.Error())
+	}
+
+	o.logger.Log(logger.Info, "user role updated successfully", request.UserID)
+	return nil
+}

api/internal/features/organization/service/update_user_role.go

@@ -59,6 +59,12 @@ type InviteResendRequest struct {
 	Role           string `json:"role"`
 }
 
+type UpdateUserRoleRequest struct {
+	UserID         string `json:"user_id"`
+	OrganizationID string `json:"organization_id"`
+	Role           string `json:"role"`
+}
+
 func NewOrganization(name string, description string) shared_types.Organization {
 	return shared_types.Organization{
 		ID:          uuid.New(),

api/internal/features/organization/types/organization.go

@@ -82,6 +82,8 @@ func (v *Validator) ValidateRequest(req interface{}) error {
 		return v.validateInviteSend(*r)
 	case *types.InviteResendRequest:
 		return v.validateInviteResend(*r)
+	case *types.UpdateUserRoleRequest:
+		return v.validateUpdateUserRole(*r)
 	default:
 		return types.ErrInvalidRequestType
 	}
@@ -230,7 +232,28 @@ func (v *Validator) validateInviteResend(req types.InviteResendRequest) error {
 	return nil
 }
 
+func (v *Validator) validateUpdateUserRole(req types.UpdateUserRoleRequest) error {
+	if err := v.ValidateID(req.OrganizationID, types.ErrMissingOrganizationID); err != nil {
+		return err
+	}
+	if err := v.ValidateID(req.UserID, types.ErrMissingUserID); err != nil {
+		return err
+	}
+	if req.Role == "" {
+		return types.ErrMissingRoleID
+	}
+
+	organization, err := v.storage.GetOrganization(req.OrganizationID)
+	if err != nil {
+		return err
+	}
+	if organization == nil {
+		return types.ErrOrganizationNotFound
+	}
+
+	return nil
+}
+
 func (v *Validator) ParseRequestBody(req interface{}, body io.ReadCloser, decoded interface{}) error {
 	return json.NewDecoder(body).Decode(decoded)
 }
-

api/internal/features/organization/validation/validator.go

@@ -418,7 +418,8 @@ func (router *Router) ContainerRoutes(s *fuego.Server, containerController *cont
 
 func (router *Router) OrganizationRoutes(f *fuego.Server, organizationController *organization.OrganizationsController) {
 	fuego.Get(f, "/users", organizationController.GetOrganizationUsers)
-	// fuego.Post(f, "/remove-user", organizationController.RemoveUserFromOrganization)
+	fuego.Post(f, "/remove-user", organizationController.RemoveUserFromOrganization)
+	fuego.Post(f, "/update-user-role", organizationController.UpdateUserRole)
 	fuego.Put(f, "", organizationController.UpdateOrganization)
 	fuego.Post(f, "", organizationController.CreateOrganization)
 	fuego.Delete(f, "", organizationController.DeleteOrganization)

api/internal/routes.go

@@ -105,7 +105,7 @@ function useTeamSettings() {
       await updateUserRole({
         user_id: userId,
         organization_id: activeOrganization?.id || '',
-        role_name: role
+        role: role.toLowerCase()
       });
       await refetchUsers();
       toast.success(t('settings.teams.messages.userUpdated'));