From 0b521414b3defb45a423c5adcda449d33125ab23 Mon Sep 17 00:00:00 2001
From: luxferre <chris@sr2.uk>
Date: Wed, 10 Jun 2026 14:48:22 +0100
Subject: [PATCH] feat: add group user by id restriction

Adding by ID can only be done for existing org members
---
 src/iam/router.py | 7 ++++++-
 test/test_iam.py  | 4 +++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/iam/router.py b/src/iam/router.py
index 4fe18f6..5a50f42 100644
--- a/src/iam/router.py
+++ b/src/iam/router.py
@@ -23,7 +23,7 @@ from src.iam.exceptions import GroupNotFoundException
 from src.organisation.exceptions import OrgNotFoundException
 from src.schemas import GroupSummary, OrgSummary
 from src.service.exceptions import ServiceNotFoundException
-from src.exceptions import ConflictException
+from src.exceptions import ConflictException, ForbiddenException
 from src.database import db_dependency
 from src.auth.exceptions import UnauthorizedException
 from src.auth.service import claims_dependency
@@ -211,6 +211,11 @@ async def add_group_user(
 	if user_model in group_model.user_rel:
 		raise ConflictException("User already in group")
 
+	if user_model not in org_model.user_rel:
+		raise ForbiddenException(
+			"Adding users directly can only be done with org members. Use email invitation instead."
+		)
+
 	group_model.user_rel.append(user_model)
 	db.flush()
 	response = IAMPutGroupUserResponse(
diff --git a/test/test_iam.py b/test/test_iam.py
index 0176f9d..7f99de9 100644
--- a/test/test_iam.py
+++ b/test/test_iam.py
@@ -4,7 +4,7 @@ import pytest
 from httpx import AsyncClient
 
 from src.user.models import User
-from src.organisation.models import Organisation as Org
+from src.organisation.models import Organisation as Org, OrgUsers
 from src.iam.models import Group
 
 from .conftest import generate_query_and_status
@@ -468,6 +468,8 @@ async def test_put_group_user_success(default_client: AsyncClient, db_session):
 		)
 	)
 	db_session.flush()
+	db_session.add(OrgUsers(user_id=2, org_id=1))
+	db_session.flush()
 
 	resp = await default_client.put(
 		"/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 1}