feat: add group user by id restriction

Adding by ID can only be done for existing org members

src/iam/router.py

@@ -23,7 +23,7 @@ from src.iam.exceptions import GroupNotFoundException
 from src.organisation.exceptions import OrgNotFoundException
 from src.schemas import GroupSummary, OrgSummary
 from src.service.exceptions import ServiceNotFoundException
-from src.exceptions import ConflictException
+from src.exceptions import ConflictException, ForbiddenException
 from src.database import db_dependency
 from src.auth.exceptions import UnauthorizedException
 from src.auth.service import claims_dependency
@@ -211,6 +211,11 @@ async def add_group_user(
 	if user_model in group_model.user_rel:
 		raise ConflictException("User already in group")
 
+	if user_model not in org_model.user_rel:
+		raise ForbiddenException(
+			"Adding users directly can only be done with org members. Use email invitation instead."
+		)
+
 	group_model.user_rel.append(user_model)
 	db.flush()
 	response = IAMPutGroupUserResponse(

test/test_iam.py

@@ -4,7 +4,7 @@ import pytest
 from httpx import AsyncClient
 
 from src.user.models import User
-from src.organisation.models import Organisation as Org
+from src.organisation.models import Organisation as Org, OrgUsers
 from src.iam.models import Group
 
 from .conftest import generate_query_and_status
@@ -468,6 +468,8 @@ async def test_put_group_user_success(default_client: AsyncClient, db_session):
 		)
 	)
 	db_session.flush()
+	db_session.add(OrgUsers(user_id=2, org_id=1))
+	db_session.flush()
 
 	resp = await default_client.put(
 		"/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 1}