From f1b207efa67956dcd28715b2bc562e666df2abae Mon Sep 17 00:00:00 2001
From: Victor Skvortsov <vds003@gmail.com>
Date: Wed, 21 Aug 2024 13:59:04 +0500
Subject: [PATCH] Fix global admin restricted by manager role

---
 .../_internal/server/services/projects.py     |  2 +-
 .../_internal/server/routers/test_projects.py | 34 +++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/src/dstack/_internal/server/services/projects.py b/src/dstack/_internal/server/services/projects.py
index 5c1b02f90..0a795427f 100644
--- a/src/dstack/_internal/server/services/projects.py
+++ b/src/dstack/_internal/server/services/projects.py
@@ -160,7 +160,7 @@ async def set_project_members(
         project_name=project.name,
     )
     project_role = get_user_project_role(user=user, project=project)
-    if project_role == ProjectRole.MANAGER:
+    if user.global_role != GlobalRole.ADMIN and project_role == ProjectRole.MANAGER:
         new_admins_members = {
             (m.username, m.project_role) for m in members if m.project_role == ProjectRole.ADMIN
         }
diff --git a/src/tests/_internal/server/routers/test_projects.py b/src/tests/_internal/server/routers/test_projects.py
index fb96ccc15..3f694f642 100644
--- a/src/tests/_internal/server/routers/test_projects.py
+++ b/src/tests/_internal/server/routers/test_projects.py
@@ -457,6 +457,40 @@ async def test_manager_cannot_set_project_admins(self, test_db, session: AsyncSe
         )
         assert response.status_code == 403
 
+    @pytest.mark.asyncio
+    async def test_global_admin_manager_can_set_project_admins(
+        self, test_db, session: AsyncSession
+    ):
+        project = await create_project(session=session)
+        user = await create_user(session=session, global_role=GlobalRole.ADMIN)
+        await add_project_member(
+            session=session,
+            project=project,
+            user=user,
+            project_role=ProjectRole.MANAGER,
+        )
+        user1 = await create_user(session=session, name="user1")
+        members = [
+            {
+                "username": user.name,
+                "project_role": ProjectRole.ADMIN,
+            },
+            {
+                "username": user1.name,
+                "project_role": ProjectRole.ADMIN,
+            },
+        ]
+        body = {"members": members}
+        response = client.post(
+            f"/api/projects/{project.name}/set_members",
+            headers=get_auth_headers(user.token),
+            json=body,
+        )
+        assert response.status_code == 200
+        res = await session.execute(select(MemberModel))
+        members = res.scalars().all()
+        assert len(members) == 2
+
     @pytest.mark.asyncio
     async def test_non_manager_cannot_set_project_members(self, test_db, session: AsyncSession):
         project = await create_project(session=session)