From 5db6687f3c8fc5778aba8530c7bedf7cb5e3324d Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Mon, 9 Mar 2026 00:32:24 -0700
Subject: [PATCH] fix: add ErrGroupNotEmpty sentinel and map to HTTP 409

AdminServer.DeleteGroup now wraps conflict errors with
ErrGroupNotEmpty, and groupErrorToHTTPStatus maps it to
409 Conflict instead of 500.
---
 weed/admin/dash/group_management.go   | 4 ++--
 weed/admin/handlers/group_handlers.go | 3 +++
 weed/credential/credential_store.go   | 1 +
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/weed/admin/dash/group_management.go b/weed/admin/dash/group_management.go
index 155027e78..1b6259658 100644
--- a/weed/admin/dash/group_management.go
+++ b/weed/admin/dash/group_management.go
@@ -108,10 +108,10 @@ func (s *AdminServer) DeleteGroup(ctx context.Context, name string) error {
 		return fmt.Errorf("failed to get group: %w", err)
 	}
 	if len(g.Members) > 0 {
-		return fmt.Errorf("cannot delete group %s: group has %d member(s)", name, len(g.Members))
+		return fmt.Errorf("cannot delete group %s: group has %d member(s): %w", name, len(g.Members), credential.ErrGroupNotEmpty)
 	}
 	if len(g.PolicyNames) > 0 {
-		return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies)", name, len(g.PolicyNames))
+		return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies): %w", name, len(g.PolicyNames), credential.ErrGroupNotEmpty)
 	}
 	if err := s.credentialManager.DeleteGroup(ctx, name); err != nil {
 		return fmt.Errorf("failed to delete group: %w", err)
diff --git a/weed/admin/handlers/group_handlers.go b/weed/admin/handlers/group_handlers.go
index cd2aa38fb..50e65ac73 100644
--- a/weed/admin/handlers/group_handlers.go
+++ b/weed/admin/handlers/group_handlers.go
@@ -33,6 +33,9 @@ func groupErrorToHTTPStatus(err error) int {
 	if errors.Is(err, credential.ErrPolicyNotFound) {
 		return http.StatusNotFound
 	}
+	if errors.Is(err, credential.ErrGroupNotEmpty) {
+		return http.StatusConflict
+	}
 	return http.StatusInternalServerError
 }
 
diff --git a/weed/credential/credential_store.go b/weed/credential/credential_store.go
index f08f84540..f7972e78b 100644
--- a/weed/credential/credential_store.go
+++ b/weed/credential/credential_store.go
@@ -20,6 +20,7 @@ var (
 	ErrPolicyNotAttached      = errors.New("policy not attached to user")
 	ErrGroupNotFound          = errors.New("group not found")
 	ErrGroupAlreadyExists     = errors.New("group already exists")
+	ErrGroupNotEmpty          = errors.New("group is not empty")
 	ErrUserNotInGroup         = errors.New("user is not a member of the group")
 )