show errors correctly

Author: icecrasher321

apps/sim/app/api/organizations/[id]/permission-groups/[groupId]/members/bulk/route.ts

@@ -76,15 +76,14 @@ export const POST = withRouteHandler(
       const groupWorkspaceIds = group.appliesToAllWorkspaces
         ? []
         : (await getGroupWorkspaces(id)).map((ws) => ws.id)
-      const conflictUserIds = new Set(
-        await findScopeConflicts({
-          organizationId,
-          excludeGroupId: id,
-          appliesToAllWorkspaces: group.appliesToAllWorkspaces,
-          workspaceIds: groupWorkspaceIds,
-          candidateUserIds: targetUserIds,
-        })
-      )
+      const conflicts = await findScopeConflicts({
+        organizationId,
+        excludeGroupId: id,
+        appliesToAllWorkspaces: group.appliesToAllWorkspaces,
+        workspaceIds: groupWorkspaceIds,
+        candidateUserIds: targetUserIds,
+      })
+      const conflictUserIds = new Set(conflicts.map((c) => c.userId))
 
       const { addedUserIds } = await db.transaction(async (tx) => {
         const existingInGroup = await tx

apps/sim/app/api/organizations/[id]/permission-groups/[groupId]/members/route.ts

@@ -15,6 +15,7 @@ import { isOrganizationMember } from '@/lib/workspaces/permissions/utils'
 import {
   authorizeOrgAccessControl,
   findScopeConflicts,
+  formatScopeConflictError,
   getGroupWorkspaces,
   loadGroupInOrganization,
 } from '@/app/api/organizations/[id]/permission-groups/utils'
@@ -102,14 +103,7 @@ export const POST = withRouteHandler(
         candidateUserIds: [userId],
       })
       if (conflicts.length > 0) {
-        return NextResponse.json(
-          {
-            error: group.appliesToAllWorkspaces
-              ? 'This user already belongs to another all-workspaces group. A user can be in only one all-workspaces group.'
-              : 'This user already belongs to another group targeting one of these workspaces. A user can have only one group per workspace.',
-          },
-          { status: 409 }
-        )
+        return NextResponse.json({ error: formatScopeConflictError(conflicts) }, { status: 409 })
       }
 
       const newMember = await db.transaction(async (tx) => {

apps/sim/app/api/organizations/[id]/permission-groups/[groupId]/route.ts

@@ -19,6 +19,7 @@ import {
   authorizeOrgAccessControl,
   findScopeConflicts,
   findWorkspacesNotInOrganization,
+  formatScopeConflictError,
   getGroupWorkspaces,
   loadGroupInOrganization,
 } from '@/app/api/organizations/[id]/permission-groups/utils'
@@ -158,13 +159,7 @@ export const PUT = withRouteHandler(
           candidateUserIds: members.map((m) => m.userId),
         })
         if (conflicts.length > 0) {
-          return NextResponse.json(
-            {
-              error:
-                'This scope change would place some members in two groups for the same workspace. Resolve their group memberships first.',
-            },
-            { status: 409 }
-          )
+          return NextResponse.json({ error: formatScopeConflictError(conflicts) }, { status: 409 })
         }
       }
 

apps/sim/app/api/organizations/[id]/permission-groups/utils.test.ts

@@ -10,6 +10,10 @@ const { mockIsOrganizationAdminOrOwner, mockIsOrganizationOnEnterprisePlan, mock
     mockConflictRows: {
       value: [] as Array<{
         userId: string
+        userName: string | null
+        userEmail: string | null
+        otherGroupId: string
+        otherGroupName: string
         otherAppliesToAll: boolean
         otherWorkspaceId: string | null
       }>,
@@ -42,6 +46,7 @@ vi.mock('@sim/db/schema', () => ({
   permissionGroup: {},
   permissionGroupMember: {},
   permissionGroupWorkspace: {},
+  user: {},
   workspace: {},
 }))
 
@@ -107,8 +112,18 @@ describe('findScopeConflicts', () => {
     candidateUserIds: ['user-1'],
   }
 
+  /** Build a conflict-query row with sensible defaults. */
+  const row = (overrides: { otherAppliesToAll: boolean; otherWorkspaceId: string | null }) => ({
+    userId: 'user-1',
+    userName: 'User One',
+    userEmail: 'user-1@example.com',
+    otherGroupId: 'group-2',
+    otherGroupName: 'Marketing',
+    ...overrides,
+  })
+
   it('returns no conflicts when there are no candidate users', async () => {
-    mockConflictRows.value = [{ userId: 'user-1', otherAppliesToAll: true, otherWorkspaceId: null }]
+    mockConflictRows.value = [row({ otherAppliesToAll: true, otherWorkspaceId: null })]
 
     const conflicts = await findScopeConflicts({
       ...baseParams,
@@ -121,21 +136,20 @@ describe('findScopeConflicts', () => {
   })
 
   it('flags an all-workspaces target when the user is in another all-workspaces group', async () => {
-    mockConflictRows.value = [{ userId: 'user-1', otherAppliesToAll: true, otherWorkspaceId: null }]
+    mockConflictRows.value = [row({ otherAppliesToAll: true, otherWorkspaceId: null })]
 
     const conflicts = await findScopeConflicts({
       ...baseParams,
       appliesToAllWorkspaces: true,
       workspaceIds: [],
     })
 
-    expect(conflicts).toEqual(['user-1'])
+    expect(conflicts.map((c) => c.userId)).toEqual(['user-1'])
+    expect(conflicts[0].conflictingGroupName).toBe('Marketing')
   })
 
   it('allows an all-workspaces target when the user is only in a specific group', async () => {
-    mockConflictRows.value = [
-      { userId: 'user-1', otherAppliesToAll: false, otherWorkspaceId: 'ws-1' },
-    ]
+    mockConflictRows.value = [row({ otherAppliesToAll: false, otherWorkspaceId: 'ws-1' })]
 
     const conflicts = await findScopeConflicts({
       ...baseParams,
@@ -147,23 +161,20 @@ describe('findScopeConflicts', () => {
   })
 
   it('flags a specific target that shares a workspace with another specific group', async () => {
-    mockConflictRows.value = [
-      { userId: 'user-1', otherAppliesToAll: false, otherWorkspaceId: 'ws-1' },
-    ]
+    mockConflictRows.value = [row({ otherAppliesToAll: false, otherWorkspaceId: 'ws-1' })]
 
     const conflicts = await findScopeConflicts({
       ...baseParams,
       appliesToAllWorkspaces: false,
       workspaceIds: ['ws-1', 'ws-2'],
     })
 
-    expect(conflicts).toEqual(['user-1'])
+    expect(conflicts.map((c) => c.userId)).toEqual(['user-1'])
+    expect(conflicts[0].conflictingGroupName).toBe('Marketing')
   })
 
   it('allows a specific target whose workspaces are disjoint from the user other specific group', async () => {
-    mockConflictRows.value = [
-      { userId: 'user-1', otherAppliesToAll: false, otherWorkspaceId: 'ws-3' },
-    ]
+    mockConflictRows.value = [row({ otherAppliesToAll: false, otherWorkspaceId: 'ws-3' })]
 
     const conflicts = await findScopeConflicts({
       ...baseParams,
@@ -175,7 +186,7 @@ describe('findScopeConflicts', () => {
   })
 
   it('allows a specific target when the user is only in an all-workspaces group', async () => {
-    mockConflictRows.value = [{ userId: 'user-1', otherAppliesToAll: true, otherWorkspaceId: null }]
+    mockConflictRows.value = [row({ otherAppliesToAll: true, otherWorkspaceId: null })]
 
     const conflicts = await findScopeConflicts({
       ...baseParams,

apps/sim/app/api/organizations/[id]/permission-groups/utils.ts

@@ -3,6 +3,7 @@ import {
   permissionGroup,
   permissionGroupMember,
   permissionGroupWorkspace,
+  user,
   workspace,
 } from '@sim/db/schema'
 import { and, asc, eq, inArray, ne } from 'drizzle-orm'
@@ -130,20 +131,34 @@ export async function listOrganizationWorkspaces(organizationId: string): Promis
  * All-vs-specific never conflicts (specific overrides all for its workspaces).
  * The candidate group itself (`excludeGroupId`) is ignored.
  */
+/** A member whose other group membership would conflict with a candidate scope. */
+export interface ScopeConflict {
+  userId: string
+  userName: string | null
+  userEmail: string | null
+  /** The group the member already belongs to that causes the conflict. */
+  conflictingGroupId: string
+  conflictingGroupName: string
+}
+
 export async function findScopeConflicts(params: {
   organizationId: string
   excludeGroupId: string
   appliesToAllWorkspaces: boolean
   workspaceIds: string[]
   candidateUserIds: string[]
-}): Promise<string[]> {
+}): Promise<ScopeConflict[]> {
   const { organizationId, excludeGroupId, appliesToAllWorkspaces, workspaceIds, candidateUserIds } =
     params
   if (candidateUserIds.length === 0) return []
 
   const rows = await db
     .select({
       userId: permissionGroupMember.userId,
+      userName: user.name,
+      userEmail: user.email,
+      otherGroupId: permissionGroup.id,
+      otherGroupName: permissionGroup.name,
       otherAppliesToAll: permissionGroup.appliesToAllWorkspaces,
       otherWorkspaceId: permissionGroupWorkspace.workspaceId,
     })
@@ -153,6 +168,7 @@ export async function findScopeConflicts(params: {
       permissionGroupWorkspace,
       eq(permissionGroupWorkspace.permissionGroupId, permissionGroup.id)
     )
+    .leftJoin(user, eq(permissionGroupMember.userId, user.id))
     .where(
       and(
         eq(permissionGroupMember.organizationId, organizationId),
@@ -162,20 +178,42 @@ export async function findScopeConflicts(params: {
     )
 
   const targetWorkspaceSet = new Set(workspaceIds)
-  const conflicts = new Set<string>()
+  const conflictByUser = new Map<string, ScopeConflict>()
 
   for (const row of rows) {
-    if (conflicts.has(row.userId)) continue
-    if (appliesToAllWorkspaces) {
-      if (row.otherAppliesToAll) conflicts.add(row.userId)
-    } else if (
-      !row.otherAppliesToAll &&
-      row.otherWorkspaceId &&
-      targetWorkspaceSet.has(row.otherWorkspaceId)
-    ) {
-      conflicts.add(row.userId)
+    if (conflictByUser.has(row.userId)) continue
+    const isConflict = appliesToAllWorkspaces
+      ? row.otherAppliesToAll
+      : !row.otherAppliesToAll &&
+        row.otherWorkspaceId !== null &&
+        targetWorkspaceSet.has(row.otherWorkspaceId)
+    if (isConflict) {
+      conflictByUser.set(row.userId, {
+        userId: row.userId,
+        userName: row.userName,
+        userEmail: row.userEmail,
+        conflictingGroupId: row.otherGroupId,
+        conflictingGroupName: row.otherGroupName,
+      })
     }
   }
 
-  return Array.from(conflicts)
+  return Array.from(conflictByUser.values())
+}
+
+/**
+ * Human-readable 409 message for a scope/membership conflict, naming the member
+ * and the group they already belong to that overlaps the requested workspaces.
+ */
+export function formatScopeConflictError(conflicts: ScopeConflict[]): string {
+  const [first] = conflicts
+  if (!first) {
+    return 'A member would be governed by two groups for the same workspace. Resolve their group memberships first.'
+  }
+  const who = first.userName || first.userEmail || 'A member'
+  if (conflicts.length === 1) {
+    return `${who} is already in the group "${first.conflictingGroupName}", which targets one of these workspaces. Remove them from one group first.`
+  }
+  const others = conflicts.length - 1
+  return `${who} and ${others} other member${others === 1 ? '' : 's'} already belong to groups that target these workspaces (e.g. "${first.conflictingGroupName}"). Resolve their group memberships first.`
 }

apps/sim/ee/access-control/components/access-control.tsx

@@ -2,6 +2,7 @@
 
 import { useCallback, useMemo, useState } from 'react'
 import { createLogger } from '@sim/logger'
+import { getErrorMessage } from '@sim/utils/errors'
 import { ArrowRight, ChevronDown, Plus } from 'lucide-react'
 import { useParams } from 'next/navigation'
 import {
@@ -31,6 +32,7 @@ import {
   Skeleton,
   Switch,
   Tooltip,
+  toast,
 } from '@/components/emcn'
 import { ArrowLeft } from '@/components/emcn/icons'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
@@ -973,6 +975,9 @@ export function AccessControl() {
       } catch (error) {
         logger.error('Failed to update workspace scope', error)
         setViewingGroup(previous)
+        toast.error("Couldn't update workspaces", {
+          description: getErrorMessage(error, 'Please try again in a moment.'),
+        })
       }
     },
     [viewingGroup, organizationId, organizationWorkspaces, updatePermissionGroup]
@@ -1000,6 +1005,9 @@ export function AccessControl() {
         )
       } catch (error) {
         logger.error('Failed to toggle default group', error)
+        toast.error("Couldn't update the default group", {
+          description: getErrorMessage(error, 'Please try again in a moment.'),
+        })
       }
     },
     [viewingGroup, organizationId, updatePermissionGroup]