Add action for inviting uploader to package (#8849)

Author: sigurdm

app/lib/admin/actions/actions.dart

@@ -2,6 +2,8 @@
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
+import 'package:pub_dev/admin/actions/package_invite_uploader.dart';
+
 import '../../shared/exceptions.dart';
 import 'download_counts_backfill.dart';
 import 'download_counts_delete.dart';
@@ -111,6 +113,7 @@ final class AdminAction {
     packageDelete,
     packageDiscontinue,
     packageInfo,
+    packageInviteUploader,
     packageLatestUpdate,
     packageReservationCreate,
     packageReservationDelete,

app/lib/admin/actions/package_invite_uploader.dart

@@ -0,0 +1,59 @@
+// Copyright (c) 2025, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'package:pub_dev/package/backend.dart';
+
+import '../../account/backend.dart';
+import '../../account/consent_backend.dart';
+import '../../shared/configuration.dart';
+import 'actions.dart';
+
+final packageInviteUploader = AdminAction(
+  name: 'package-invite-uploader',
+  summary: 'invite an email to be uploader of a package',
+  description: '''
+Sends an invite to <email> to become uploader of <package>.
+''',
+  options: {
+    'package': 'Package for which to add an uploader',
+    'email': 'email to send invitation to',
+  },
+  invoke: (options) async {
+    final packageName = options['package'] ??
+        (throw InvalidInputException('Missing --package argument.'));
+
+    final invitedEmail = options['email'] ??
+        (throw InvalidInputException('Missing --email argument.'));
+
+    final package = await packageBackend.lookupPackage(packageName);
+    if (package == null) {
+      throw NotFoundException.resource(packageName);
+    }
+    if (package.publisherId != null) {
+      throw OperationForbiddenException.publisherOwnedPackageNoUploader(
+          packageName, package.publisherId!);
+    }
+    final authenticatedAgent =
+        await requireAuthenticatedAdmin(AdminPermission.invokeAction);
+
+    final inviteStatus = await consentBackend.invitePackageUploader(
+        packageName: packageName,
+        uploaderEmail: invitedEmail,
+        agent: authenticatedAgent);
+
+    final uploaderUsers =
+        await accountBackend.lookupUsersById(package.uploaders!);
+    final isNotUploaderYet =
+        !uploaderUsers.any((u) => u!.email == invitedEmail);
+    InvalidInputException.check(
+        isNotUploaderYet, '`$invitedEmail` is already an uploader.');
+
+    return {
+      'message': 'Invited user',
+      'package': packageName,
+      'emailSent': inviteStatus.emailSent,
+      'email': invitedEmail,
+    };
+  },
+);

app/lib/admin/actions/publisher_member_invite.dart

@@ -33,7 +33,7 @@ Sends an invite to <email> to become a member of <publisher>.
     }
 
     final authenticatedAgent =
-        await requireAuthenticatedAdmin(AdminPermission.removePackage);
+        await requireAuthenticatedAdmin(AdminPermission.invokeAction);
 
     await publisherBackend.verifyPublisherMemberInvite(
         publisherId, InviteMemberRequest(email: invitedEmail));

app/test/admin/api_tool_test.dart

@@ -147,6 +147,76 @@ void main() {
     });
   });
 
+  group('package uploader invite', () {
+    setupTestsWithAdminTokenIssues((client) => client.adminInvokeAction(
+        'package-invite-uploader',
+        AdminInvokeActionArguments(
+            arguments: {'package': 'oxygen', 'email': '[email protected]'})));
+
+    testWithProfile('invite + accept', fn: () async {
+      final adminClient = createPubApiClient(authToken: siteAdminToken);
+      final adminOutput = await adminClient.adminInvokeAction(
+          'package-invite-uploader',
+          AdminInvokeActionArguments(
+              arguments: {'package': 'oxygen', 'email': '[email protected]'}));
+
+      expect(adminOutput.output, {
+        'message': 'Invited user',
+        'package': 'oxygen',
+        'emailSent': true,
+        'email': '[email protected]',
+      });
+
+      final email = fakeEmailSender.sentMessages.first;
+      expect(email.subject, 'You have a new invitation to confirm on pub.dev');
+
+      final page = await auditBackend.listRecordsForPackage('oxygen');
+      final r = page.records
+          .firstWhere((e) => e.kind == AuditLogRecordKind.uploaderInvited);
+      expect(r.summary,
+          '`[email protected]` invited `[email protected]` to be an uploader for package `oxygen`.');
+
+      late String consentId;
+      await withFakeAuthRequestContext(
+        '[email protected]',
+        () async {
+          final authenticatedUser = await requireAuthenticatedWebUser();
+          final user = authenticatedUser.user;
+          final consentRow = await dbService.query<Consent>().run().single;
+          final consent =
+              await consentBackend.getConsent(consentRow.consentId, user);
+          expect(consent.descriptionHtml, contains('/packages/oxygen'));
+          expect(consent.descriptionHtml,
+              contains('perform administrative actions'));
+          consentId = consentRow.consentId;
+        },
+      );
+
+      final acceptingClient =
+          await createFakeAuthPubApiClient(email: '[email protected]');
+      final rs = await acceptingClient.resolveConsent(
+          consentId, account_api.ConsentResult(granted: true));
+      expect(rs.granted, true);
+
+      final page2 = await auditBackend.listRecordsForPackage('oxygen');
+      final r2 = page2.records.firstWhere(
+          (e) => e.kind == AuditLogRecordKind.uploaderInviteAccepted);
+      expect(r2.summary,
+          '`[email protected]` accepted uploader invite for package `oxygen`.');
+
+      final uploaders =
+          (await packageBackend.lookupPackage('oxygen'))!.uploaders;
+      expect(uploaders!, hasLength(2));
+      expect(
+          await Future.wait(uploaders.map((uploader) async =>
+              (await accountBackend.lookupUserById(uploader))!.email)),
+          {
+            '[email protected]',
+            '[email protected]',
+          });
+    });
+  });
+
   group('create and delete publisher', () {
     testWithProfile('publisher has packages', fn: () async {
       final p1 = await publisherBackend.lookupPublisher('example.com');