feat(organizations): add endpoints to handle organization members TASK-963

[rajpatel24]

🗒️ Checklist

1. run linter locally
2. update all related docs (API, README, inline, etc.), if any
3. draft PR with a title <type>(<scope>)<!>: <title> TASK-1234
4. tag PR: at least frontend or backend unless it's global
5. fill in the template below and delete template comments
6. review thyself: read the diff and repro the preview as written
7. open PR & confirm that CI passes
8. request reviewers, if needed
9. delete this section before merging

📣 Summary

• Enhance the organization member management API to support role updates and member removal via PATCH and DELETE requests, excluding member creation.

📖 Description

• This update introduces endpoints for managing organization members:

  • GET /api/v2/organizations/<org-id>/members/ to list all members in an organization.
  • PATCH /api/v2/organizations/<org-id>/members/<username>/ to update a member's role (e.g., promote to admin).
  • DELETE /api/v2/organizations/<org-id>/members/<username>/ to remove a member from the organization.

Note: Creating members is not supported via this endpoint. Roles are restricted to 'admin' or 'member'. Including the details of invited members (those who have not yet joined the organization) is not covered in this update.

👷 Description for instance maintainers

• This update provides new functionality to manage organization members:

  • Role updates for members (promotion/demotion between 'admin' and 'member').
  • Member removal from an organization.
  • The endpoints are optimized to use database joins to fetch member roles efficiently without excessive database queries, ensuring minimal load.

👀 Preview steps

1. ℹ️ Have an account and an organization with multiple members.
2. Use the GET method to list the members of the organization.
3. Use the PATCH method to update a member's role (e.g., promote a user to admin).
4. Use the DELETE method to remove a member from the organization.
5. 🟢 Notice the endpoints behave as expected, with valid role updates and member removal.

💭 Notes

• The code uses database joins to optimize role determination for members, avoiding inefficient role lookups.
• Role validation restricts role assignments to 'admin' or 'member' only.
• Including invited members' details is not covered in this update. This will be implemented in a future update.

[noliveleger]

I would rename the class just to match what it is paginating (i.e.: organization members)

[noliveleger]

Is 10 a requirement?

[rajpatel24]

10 is not a requirement defined in the task. I need to check with you or the team to determine the appropriate value for it.

[jamesrkiger]

@rajpatel24 Can we change this to limit offset pagination? Our table components on the frontend currently assume limit offset pagination and @noliveleger said it shouldn't cause any problems to use that here.

[rajpatel24]

@jamesrkiger I have removed the custom pagination class for the organization members API. It will now use LimitOffsetPagination by default.

[noliveleger]

Actually, you need to get if the user has MFA enabled. (e.g. MfaMethod.objects.filter(user=obj, is_active=True).exists()). Ensure to optimize this for a list like you did for role ;-)

[noliveleger]

For future-proof validaiton, please add mmo_override=True
This can be simplied with

self.organization = baker.make(Organization, id='org_12345', mmo_override=True)
self.owner_user = baker.make(User, username='owner')
self.member_user = baker.make(User, username='member')
self.invited_user = baker.make(User, username='invited')

self.organization.add_user(self.owner_user)  # first user added to org, is always the owner and an admin
self.organization.add_user(self.member_user, is_admin=False) 

[noliveleger]

invited_user is not used at all for the moment, right? Let's remove until we implement invitations.

[noliveleger]

All your tests are done with self.client == self.owner , but we need to validate permissions for regular members, admins and anonymous. Let's those tests as soon as #5218 is merged. I will tag this PR blocked by

[rajpatel24]

Thanks for pointing that out! I've added the role-based validation tests for organization member permissions.

One thing I still need to figure out is that I have added a new permission class and tried to use obj to retrieve the user role using the optimized approach I wrote in get_queryset(). It works fine when I test the endpoints in Postman or using a curl. However, for the tests, I'm unable to fetch the actual role, and it defaults to the member role. Do you have any suggestions for this?

[noliveleger]

This PR is blocked by #5218

[magicznyleszek]

@noliveleger @rajpatel24 this is no longer blocked, right?

[noliveleger]

You can delete this class, not needed anymore

[rajpatel24]

Done. It will use LimitOffsetPagination by default

[noliveleger]

I think that's the wrong field. You need to retrieve User.extra_details.data['name'] . BTW in that case, the field should be user__extra_details__name .

cc @jamesrkiger

[noliveleger]

Asked by the front-end team, let's use LimitOffsetPagination instead.

[rajpatel24]

Okay, I removed AssetUsagePagination. It will now use LimitOffsetPagination by default for /organizations and /organizations/{org_id}/members.

[noliveleger]

You can remove this method entirely. No need to overload but right now, we want to delete the OrganizationUser only. Do not touch the User object.

[noliveleger]

LGTM

For the record: The complex query took only few millisecond on a 500 members org.