Add action for inviting uploader to package (#8849)

Author: sigurdm

app/lib/admin/actions/actions.dart

@@ -2,6 +2,8 @@
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
+import 'package:pub_dev/admin/actions/package_invite_uploader.dart';
+
 import '../../shared/exceptions.dart';
 import 'download_counts_backfill.dart';
 import 'download_counts_delete.dart';
@@ -111,6 +113,7 @@ final class AdminAction {
  packageDelete,
  packageDiscontinue,
  packageInfo,
+ packageInviteUploader,
  packageLatestUpdate,
  packageReservationCreate,
  packageReservationDelete,

app/lib/admin/actions/package_invite_uploader.dart

@@ -0,0 +1,59 @@
+// Copyright (c) 2025, the Dart project authors. Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+import 'package:pub_dev/package/backend.dart';
+
+import '../../account/backend.dart';
+import '../../account/consent_backend.dart';
+import '../../shared/configuration.dart';
+import 'actions.dart';
+
+final packageInviteUploader = AdminAction(
+ name: 'package-invite-uploader',
+ summary: 'invite an email to be uploader of a package',
+ description: '''
+Sends an invite to <email> to become uploader of <package>.
+''',
+ options: {
+ 'package': 'Package for which to add an uploader',
+ 'email': 'email to send invitation to',
+ },
+ invoke: (options) async {
+ final packageName = options['package'] ??
+ (throw InvalidInputException('Missing --package argument.'));
+
+ final invitedEmail = options['email'] ??
+ (throw InvalidInputException('Missing --email argument.'));
+
+ final package = await packageBackend.lookupPackage(packageName);
+ if (package == null) {
+ throw NotFoundException.resource(packageName);
+ }
+ if (package.publisherId != null) {
+ throw OperationForbiddenException.publisherOwnedPackageNoUploader(
+ packageName, package.publisherId!);
+ }
+ final authenticatedAgent =
+ await requireAuthenticatedAdmin(AdminPermission.invokeAction);
+
+ final inviteStatus = await consentBackend.invitePackageUploader(
+ packageName: packageName,
+ uploaderEmail: invitedEmail,
+ agent: authenticatedAgent);
+
+ final uploaderUsers =
+ await accountBackend.lookupUsersById(package.uploaders!);
+ final isNotUploaderYet =
+ !uploaderUsers.any((u) => u!.email == invitedEmail);
+ InvalidInputException.check(
+ isNotUploaderYet, '`$invitedEmail` is already an uploader.');
+
+ return {
+ 'message': 'Invited user',
+ 'package': packageName,
+ 'emailSent': inviteStatus.emailSent,
+ 'email': invitedEmail,
+ };
+ },
+);

app/lib/admin/actions/publisher_member_invite.dart

@@ -33,7 +33,7 @@ Sends an invite to <email> to become a member of <publisher>.
  }
 
  final authenticatedAgent =
- await requireAuthenticatedAdmin(AdminPermission.removePackage);
+ await requireAuthenticatedAdmin(AdminPermission.invokeAction);
 
  await publisherBackend.verifyPublisherMemberInvite(
  publisherId, InviteMemberRequest(email: invitedEmail));

app/test/admin/api_tool_test.dart

@@ -147,6 +147,76 @@ void main() {
  });
  });
 
+ group('package uploader invite', () {
+ setupTestsWithAdminTokenIssues((client) => client.adminInvokeAction(
+ 'package-invite-uploader',
+ AdminInvokeActionArguments(
+ arguments: {'package': 'oxygen', 'email': 'member@example.com'})));
+
+ testWithProfile('invite + accept', fn: () async {
+ final adminClient = createPubApiClient(authToken: siteAdminToken);
+ final adminOutput = await adminClient.adminInvokeAction(
+ 'package-invite-uploader',
+ AdminInvokeActionArguments(
+ arguments: {'package': 'oxygen', 'email': 'newmember@pub.dev'}));
+
+ expect(adminOutput.output, {
+ 'message': 'Invited user',
+ 'package': 'oxygen',
+ 'emailSent': true,
+ 'email': 'newmember@pub.dev',
+ });
+
+ final email = fakeEmailSender.sentMessages.first;
+ expect(email.subject, 'You have a new invitation to confirm on pub.dev');
+
+ final page = await auditBackend.listRecordsForPackage('oxygen');
+ final r = page.records
+ .firstWhere((e) => e.kind == AuditLogRecordKind.uploaderInvited);
+ expect(r.summary,
+ '`support@pub.dev` invited `newmember@pub.dev` to be an uploader for package `oxygen`.');
+
+ late String consentId;
+ await withFakeAuthRequestContext(
+ 'newmember@pub.dev',
+ () async {
+ final authenticatedUser = await requireAuthenticatedWebUser();
+ final user = authenticatedUser.user;
+ final consentRow = await dbService.query<Consent>().run().single;
+ final consent =
+ await consentBackend.getConsent(consentRow.consentId, user);
+ expect(consent.descriptionHtml, contains('/packages/oxygen'));
+ expect(consent.descriptionHtml,
+ contains('perform administrative actions'));
+ consentId = consentRow.consentId;
+ },
+ );
+
+ final acceptingClient =
+ await createFakeAuthPubApiClient(email: 'newmember@pub.dev');
+ final rs = await acceptingClient.resolveConsent(
+ consentId, account_api.ConsentResult(granted: true));
+ expect(rs.granted, true);
+
+ final page2 = await auditBackend.listRecordsForPackage('oxygen');
+ final r2 = page2.records.firstWhere(
+ (e) => e.kind == AuditLogRecordKind.uploaderInviteAccepted);
+ expect(r2.summary,
+ '`newmember@pub.dev` accepted uploader invite for package `oxygen`.');
+
+ final uploaders =
+ (await packageBackend.lookupPackage('oxygen'))!.uploaders;
+ expect(uploaders!, hasLength(2));
+ expect(
+ await Future.wait(uploaders.map((uploader) async =>
+ (await accountBackend.lookupUserById(uploader))!.email)),
+ {
+ 'admin@pub.dev',
+ 'newmember@pub.dev',
+ });
+ });
+ });
+
  group('create and delete publisher', () {
  testWithProfile('publisher has packages', fn: () async {
  final p1 = await publisherBackend.lookupPublisher('example.com');