Merge pull request BerriAI#23095 from BerriAI/litellm_org_admin_add_user_e2e

[Feature] Org Admin Access to Team Management Endpoints

Author: yuneng-jiang

litellm/proxy/_types.py

@@ -653,6 +653,8 @@ class LiteLLMRoutes(enum.Enum):
         "/model/update",
         "/model/delete",
         "/user/daily/activity",
+        "/user/available_roles",  # read-only role metadata; any authenticated user may read
+        "/user/list",  # org admins checked in endpoint; non-admins get 403
         "/model/{model_id}/update",
         "/prompt/list",
         "/prompt/info",

litellm/proxy/agent_endpoints/endpoints.py

@@ -106,6 +106,7 @@ async def get_agents(
     health_check: bool = Query(
         False,
         description="When true, performs a GET request to each agent's URL. Agents with reachable URLs (HTTP status < 500) and agents without a URL are returned; unreachable agents are filtered out.",
+    ),
     user_api_key_dict: UserAPIKeyAuth = Depends(user_api_key_auth),  # Used for auth
 ):
     """

litellm/proxy/auth/auth_checks_organization.py

@@ -144,19 +144,32 @@ def _user_is_org_admin(
     user_object: Optional[LiteLLM_UserTable] = None,
 ) -> bool:
     """
-    Helper function to check if user is an org admin for the passed organization_id
-    """
-    if request_data.get("organization_id", None) is None:
-        return False
+    Helper function to check if user is an org admin for any of the passed organizations.
 
+    Checks both:
+    - `organization_id` (singular string) — legacy callers
+    - `organizations` (list of strings) — used by /user/new
+    """
     if user_object is None:
         return False
 
     if user_object.organization_memberships is None:
         return False
 
+    # Collect candidate org IDs from both fields
+    candidate_org_ids: List[str] = []
+    singular = request_data.get("organization_id", None)
+    if singular is not None:
+        candidate_org_ids.append(singular)
+    orgs_list = request_data.get("organizations", None)
+    if isinstance(orgs_list, list):
+        candidate_org_ids.extend(orgs_list)
+
+    if not candidate_org_ids:
+        return False
+
     for _membership in user_object.organization_memberships:
-        if _membership.organization_id == request_data.get("organization_id", None):
+        if _membership.organization_id in candidate_org_ids:
             if _membership.user_role == LitellmUserRoles.ORG_ADMIN.value:
                 return True
 

litellm/proxy/management_endpoints/common_utils.py

@@ -41,6 +41,46 @@ def _is_user_team_admin(
     return False
 
 
+async def _is_user_org_admin_for_team(
+    user_api_key_dict: UserAPIKeyAuth, team_obj: LiteLLM_TeamTable
+) -> bool:
+    """
+    Check if user is an org admin for the team's organization.
+
+    Returns True if:
+    - The team belongs to an organization, AND
+    - The user has org_admin role in that organization
+    """
+    if not team_obj.organization_id or not user_api_key_dict.user_id:
+        return False
+
+    from litellm.proxy.auth.auth_checks import get_user_object
+    from litellm.proxy.proxy_server import (
+        prisma_client,
+        proxy_logging_obj,
+        user_api_key_cache,
+    )
+
+    caller_user = await get_user_object(
+        user_id=user_api_key_dict.user_id,
+        prisma_client=prisma_client,
+        user_api_key_cache=user_api_key_cache,
+        user_id_upsert=False,
+        proxy_logging_obj=proxy_logging_obj,
+    )
+    if caller_user is None:
+        return False
+
+    for m in caller_user.organization_memberships or []:
+        if (
+            m.organization_id == team_obj.organization_id
+            and m.user_role == LitellmUserRoles.ORG_ADMIN.value
+        ):
+            return True
+
+    return False
+
+
 def _team_member_has_permission(
     user_api_key_dict: UserAPIKeyAuth,
     team_obj: LiteLLM_TeamTable,