@@ -167,7 +167,7 @@ func (o *orgRoleResourceType) Grants(
167167 // First, get teams with this role
168168 teams , resp , err := o .client .Organizations .ListTeamsAssignedToOrgRole (ctx , orgName , roleID , nil )
169169 if err != nil {
170- // Handle permission errors gracefully
170+ // Handle permission errors without erroring out. Some customers may not want to give us permissions to get org roles and members.
171171 if resp != nil && (resp .StatusCode == http .StatusForbidden || resp .StatusCode == http .StatusNotFound ) {
172172 // Return empty list with no error to indicate we skipped this resource
173173 pageToken , err := bag .NextToken ("" )
@@ -179,14 +179,13 @@ func (o *orgRoleResourceType) Grants(
179179 return nil , "" , nil , fmt .Errorf ("failed to list role teams: %w" , err )
180180 }
181181
182- // Create expandable grants for teams
182+ // Create expandable grants for teams. To show inherited roles, we need to show the teams that have the role.
183183 for _ , team := range teams {
184184 teamResource , err := teamResource (team , resource .ParentResourceId )
185185 if err != nil {
186186 return nil , "" , nil , err
187187 }
188188
189- // Create an expandable grant for the team
190189 grant := grant .NewGrant (
191190 resource ,
192191 "assigned" ,
@@ -202,9 +201,7 @@ func (o *orgRoleResourceType) Grants(
202201 // Then, get direct user assignments
203202 users , resp , err := o .client .Organizations .ListUsersAssignedToOrgRole (ctx , orgName , roleID , nil )
204203 if err != nil {
205- // Handle permission errors gracefully
206204 if resp != nil && (resp .StatusCode == http .StatusForbidden || resp .StatusCode == http .StatusNotFound ) {
207- // Return what we have so far (teams) with no error
208205 pageToken , err := bag .NextToken ("" )
209206 if err != nil {
210207 return nil , "" , nil , err
@@ -214,7 +211,7 @@ func (o *orgRoleResourceType) Grants(
214211 return nil , "" , nil , fmt .Errorf ("failed to list role users: %w" , err )
215212 }
216213
217- // Create regular grants for direct user assignments
214+ // Create regular grants for direct user assignments.
218215 for _ , user := range users {
219216 userResource , err := userResource (ctx , user , user .GetEmail (), nil )
220217 if err != nil {
@@ -240,13 +237,14 @@ func (o *orgRoleResourceType) Grants(
240237func (o * orgRoleResourceType ) Grant (ctx context.Context , principal * v2.Resource , entitlement * v2.Entitlement ) (annotations.Annotations , error ) {
241238 l := ctxzap .Extract (ctx )
242239
240+ // Needs review, I copied this from the team grant function, but roles can be granted to teams as well, but we don't necessarily support that so wasn't sure if this was the intended behavior.
243241 if principal .Id .ResourceType != resourceTypeUser .Id {
244242 l .Warn (
245- "github-connectorv2 : only users can be granted organization roles" ,
243+ "github-connector : only users can be granted organization roles" ,
246244 zap .String ("principal_type" , principal .Id .ResourceType ),
247245 zap .String ("principal_id" , principal .Id .Resource ),
248246 )
249- return nil , fmt .Errorf ("github-connectorv2 : only users can be granted organization roles" )
247+ return nil , fmt .Errorf ("github-connector : only users can be granted organization roles" )
250248 }
251249
252250 roleID , err := strconv .ParseInt (entitlement .Resource .Id .Resource , 10 , 64 )
@@ -297,7 +295,7 @@ func (o *orgRoleResourceType) Grant(ctx context.Context, principal *v2.Resource,
297295 zap .String ("user" , user .GetLogin ()),
298296 )
299297
300- // Use the client's HTTP client to make the request with the correct URL format
298+ // Use the client's HTTP client to make the request with the correct URL format. Couldn't find a built in function for this. Cursor suggested this approach.
301299 url := fmt .Sprintf ("orgs/%s/organization-roles/users/%s/%d" , orgName , user .GetLogin (), roleID )
302300 req , err := o .client .NewRequest ("PUT" , url , nil )
303301 if err != nil {
@@ -345,13 +343,14 @@ func (o *orgRoleResourceType) Revoke(ctx context.Context, grant *v2.Grant) (anno
345343 entitlement := grant .Entitlement
346344 principal := grant .Principal
347345
346+ // Needs review, I copied this from the team grant function, but roles can be granted to teams as well, but we don't necessarily support that so wasn't sure if this was the intended behavior.
348347 if principal .Id .ResourceType != resourceTypeUser .Id {
349348 l .Warn (
350- "github-connectorv2 : only users can have organization roles revoked" ,
349+ "github-connector : only users can have organization roles revoked" ,
351350 zap .String ("principal_type" , principal .Id .ResourceType ),
352351 zap .String ("principal_id" , principal .Id .Resource ),
353352 )
354- return nil , fmt .Errorf ("github-connectorv2 : only users can have organization roles revoked" )
353+ return nil , fmt .Errorf ("github-connector : only users can have organization roles revoked" )
355354 }
356355
357356 roleID , err := strconv .ParseInt (entitlement .Resource .Id .Resource , 10 , 64 )
@@ -374,7 +373,6 @@ func (o *orgRoleResourceType) Revoke(ctx context.Context, grant *v2.Grant) (anno
374373 return nil , fmt .Errorf ("failed to get user: %w" , err )
375374 }
376375
377- // Use the client's HTTP client to make the request with the correct URL format
378376 url := fmt .Sprintf ("orgs/%s/organization-roles/users/%s/%d" , orgName , user .GetLogin (), roleID )
379377 req , err := o .client .NewRequest ("DELETE" , url , nil )
380378 if err != nil {
0 commit comments