From d780da678fc40c560bd01c6755c6ade3557ab837 Mon Sep 17 00:00:00 2001
From: Youngjin Jo <youngjinjo@megazone.com>
Date: Mon, 23 Sep 2024 18:23:35 +0900
Subject: [PATCH] fix: modify code when add users to workspace group

Signed-off-by: Youngjin Jo <youngjinjo@megazone.com>
---
 .../identity/service/role_binding_service.py    |  5 +++++
 .../identity/service/workspace_group_service.py | 17 +++++++++++++++++
 .../service/workspace_group_user_service.py     |  4 ++++
 3 files changed, 26 insertions(+)

diff --git a/src/spaceone/identity/service/role_binding_service.py b/src/spaceone/identity/service/role_binding_service.py
index 5580f250..437fe4e2 100644
--- a/src/spaceone/identity/service/role_binding_service.py
+++ b/src/spaceone/identity/service/role_binding_service.py
@@ -166,6 +166,11 @@ def update_role(
 
         self.check_self_update_and_delete(request_user_id, rb_vo.user_id)
 
+        if rb_vo.workspace_group_id:
+            raise ERROR_PERMISSION_DENIED(
+                key="role_binding_id", value=params.role_binding_id
+            )
+
         # Check role
         role_mgr = RoleManager()
         new_role_vo = role_mgr.get_role(params.role_id, params.domain_id)
diff --git a/src/spaceone/identity/service/workspace_group_service.py b/src/spaceone/identity/service/workspace_group_service.py
index 6f395ffd..af7fe04e 100644
--- a/src/spaceone/identity/service/workspace_group_service.py
+++ b/src/spaceone/identity/service/workspace_group_service.py
@@ -198,6 +198,10 @@ def add_users(
             workspace_group_id, domain_id
         )
         old_users_in_workspace_group = workspace_group_vo.users or []
+
+        self.delete_workspace_users_role_binding(
+            new_users, workspace_group_workspace_ids, domain_id
+        )
         new_users_in_workspace_group = self.add_users_to_workspace_group(
             new_users_info_list,
             role_map,
@@ -488,6 +492,19 @@ def get_workspace_ids(workspace_group_id: str, domain_id: str) -> List[str]:
 
         return workspace_ids
 
+    def delete_workspace_users_role_binding(
+        self,
+        new_users: List[str],
+        workspace_group_workspace_ids: List[str],
+        domain_id: str,
+    ) -> None:
+        rb_vos = self.rb_mgr.filter_role_bindings(
+            user_id=new_users,
+            workspace_id=workspace_group_workspace_ids,
+            domain_id=domain_id,
+        )
+        rb_vos.delete()
+
     def add_users_to_workspace_group(
         self,
         new_users_info_list: List[Dict[str, str]],
diff --git a/src/spaceone/identity/service/workspace_group_user_service.py b/src/spaceone/identity/service/workspace_group_user_service.py
index d9b32d0b..f5136146 100644
--- a/src/spaceone/identity/service/workspace_group_user_service.py
+++ b/src/spaceone/identity/service/workspace_group_user_service.py
@@ -116,6 +116,10 @@ def add(
         workspace_group_workspace_ids = self.workspace_group_svc.get_workspace_ids(
             workspace_group_id, domain_id
         )
+
+        self.workspace_group_svc.delete_workspace_users_role_binding(
+            new_users, workspace_group_workspace_ids, domain_id
+        )
         workspace_group_new_users_info = (
             self.workspace_group_svc.add_users_to_workspace_group(
                 new_users_info_list,