fix: remove usergroup injection from org project groups to prevent duplicates

services/api/src/resources/group/resolvers.ts

@@ -654,14 +654,17 @@ export const addGroupsToProject: ResolverFn = async (
 
   for (const groupInput of groupsInput) {
     const group = await models.GroupModel.loadGroupByIdOrName(groupInput);
+    if (R.prop('lagoon-organization', group.attributes) === undefined && project.organization != null) {
+      throw new Error('Group must be in same organization as the project');
+    }
     if (R.prop('lagoon-organization', group.attributes) && project.organization != null) {
       if (project.organization == R.prop('lagoon-organization', group.attributes)) {
         // if this is a group in an organization, check that the user removing members from the group in this org is in the org
         await hasPermission('organization', 'addGroup', {
           organization: R.prop('lagoon-organization', group.attributes)
         });
       } else {
-        throw new Error('Project must be in same organization as groups');
+        throw new Error('Group must be in same organization as the project');
       }
     }
     await models.GroupModel.addProjectToGroup(project.id, group);

services/api/src/resources/organization/resolvers.ts

@@ -509,56 +509,13 @@ export const getGroupCountByOrganizationProject: ResolverFn = async (
 export const getGroupsByOrganizationsProject: ResolverFn = async (
   { id: pid },
   _input,
-  { sqlClientPool, models, keycloakGrant, keycloakUsersGroups, adminScopes }
+  { sqlClientPool, models }
 ) => {
+  // rather than make this more complicated than it needs to be, just return all the groups attached to a project, even those that aren't in the organization
+  // this way the organization owner can make the decision to remove the group from the project
+  // this isn't an impossibile situation, but is unlikely, due to the historical nature of lagoons group attachment process
   const orgProjectGroups = await groupHelpers(sqlClientPool).selectGroupsByProjectId(models, pid)
-  if (adminScopes.projectViewAll) {
-    // if platform owner, this will show ALL groups on a project (those that aren't in the organization too, yes its possible with outside intervention :| )
-    return orgProjectGroups;
-  }
-
-  const user = await models.UserModel.loadUserById(
-    keycloakGrant.access_token.content.sub
-  );
-  // if this user is an owner of an organization, then also display org based groups to this user
-  // when listing project groups
-  const userGroups = keycloakUsersGroups;
-  const usersOrgs = R.defaultTo('', R.prop('lagoon-organizations',  user.attributes)).toString()
-  const usersOrgsViewer = R.defaultTo('', R.prop('lagoon-organizations-viewer',  user.attributes)).toString()
-
-  if (usersOrgs != "" ) {
-    const usersOrgsArr = usersOrgs.split(',');
-    for (const userOrg of usersOrgsArr) {
-      const project = await projectHelpers(sqlClientPool).getProjectById(pid);
-      if (project.organization == userOrg) {
-        const orgGroups = await groupHelpers(sqlClientPool).selectGroupsByOrganizationId(models, project.organization)
-        for (const pGroup of orgGroups) {
-          userGroups.push(pGroup)
-        }
-      }
-    }
-  }
-  if (usersOrgsViewer != "" ) {
-    const usersOrgsArr = usersOrgsViewer.split(',');
-    for (const userOrg of usersOrgsArr) {
-      const project = await projectHelpers(sqlClientPool).getProjectById(pid);
-      if (project.organization == userOrg) {
-        const orgGroups = await groupHelpers(sqlClientPool).selectGroupsByOrganizationId(models, project.organization)
-        for (const pGroup of orgGroups) {
-          userGroups.push(pGroup)
-        }
-      }
-    }
-  }
-  let userProjectGroups = []
-  for (const ug of userGroups) {
-    const pg = orgProjectGroups.find(i => i.id === ug.id)
-    if (pg) {
-      userProjectGroups.push(pg)
-    }
-  }
-
-  return userProjectGroups;
+  return orgProjectGroups;
 };
 
 // check an existing project and the associated groups can be added to an organization