fix: add ErrGroupNotEmpty sentinel and map to HTTP 409

AdminServer.DeleteGroup now wraps conflict errors with ErrGroupNotEmpty, and groupErrorToHTTPStatus maps it to 409 Conflict instead of 500.
21 hours ago · 5db6687f3c
3 changed files with 6 additions and 2 deletions
--- a/weed/admin/dash/group_management.go
+++ b/weed/admin/dash/group_management.go
@ -108,10 +108,10 @@ func (s *AdminServer) DeleteGroup(ctx context.Context, name string) error {
 		return fmt.Errorf("failed to get group: %w", err)
 	}
 	if len(g.Members) > 0 {
-		return fmt.Errorf("cannot delete group %s: group has %d member(s)", name, len(g.Members))
+		return fmt.Errorf("cannot delete group %s: group has %d member(s): %w", name, len(g.Members), credential.ErrGroupNotEmpty)
 	}
 	if len(g.PolicyNames) > 0 {
-		return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies)", name, len(g.PolicyNames))
+		return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies): %w", name, len(g.PolicyNames), credential.ErrGroupNotEmpty)
 	}
 	if err := s.credentialManager.DeleteGroup(ctx, name); err != nil {
 		return fmt.Errorf("failed to delete group: %w", err)
--- a/weed/admin/handlers/group_handlers.go
+++ b/weed/admin/handlers/group_handlers.go
@ -33,6 +33,9 @@ func groupErrorToHTTPStatus(err error) int {
 	if errors.Is(err, credential.ErrPolicyNotFound) {
 		return http.StatusNotFound
 	}
+	if errors.Is(err, credential.ErrGroupNotEmpty) {
+		return http.StatusConflict
+	}
 	return http.StatusInternalServerError
 }

--- a/weed/credential/credential_store.go
+++ b/weed/credential/credential_store.go
@ -20,6 +20,7 @@ var (
 	ErrPolicyNotAttached      = errors.New("policy not attached to user")
 	ErrGroupNotFound          = errors.New("group not found")
 	ErrGroupAlreadyExists     = errors.New("group already exists")
+	ErrGroupNotEmpty          = errors.New("group is not empty")
 	ErrUserNotInGroup         = errors.New("user is not a member of the group")
 )