fix: add ErrGroupNotEmpty sentinel and map to HTTP 409

AdminServer.DeleteGroup now wraps conflict errors with
ErrGroupNotEmpty, and groupErrorToHTTPStatus maps it to
409 Conflict instead of 500.

weed/admin/dash/group_management.go

@@ -108,10 +108,10 @@ func (s *AdminServer) DeleteGroup(ctx context.Context, name string) error {
 		return fmt.Errorf("failed to get group: %w", err)
 	}
 	if len(g.Members) > 0 {
-		return fmt.Errorf("cannot delete group %s: group has %d member(s)", name, len(g.Members))
+		return fmt.Errorf("cannot delete group %s: group has %d member(s): %w", name, len(g.Members), credential.ErrGroupNotEmpty)
 	}
 	if len(g.PolicyNames) > 0 {
-		return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies)", name, len(g.PolicyNames))
+		return fmt.Errorf("cannot delete group %s: group has %d attached policy(ies): %w", name, len(g.PolicyNames), credential.ErrGroupNotEmpty)
 	}
 	if err := s.credentialManager.DeleteGroup(ctx, name); err != nil {
 		return fmt.Errorf("failed to delete group: %w", err)

weed/admin/handlers/group_handlers.go

@@ -33,6 +33,9 @@ func groupErrorToHTTPStatus(err error) int {
 	if errors.Is(err, credential.ErrPolicyNotFound) {
 		return http.StatusNotFound
 	}
+	if errors.Is(err, credential.ErrGroupNotEmpty) {
+		return http.StatusConflict
+	}
 	return http.StatusInternalServerError
 }
 

weed/credential/credential_store.go

@@ -20,6 +20,7 @@ var (
 	ErrPolicyNotAttached      = errors.New("policy not attached to user")
 	ErrGroupNotFound          = errors.New("group not found")
 	ErrGroupAlreadyExists     = errors.New("group already exists")
+	ErrGroupNotEmpty          = errors.New("group is not empty")
 	ErrUserNotInGroup         = errors.New("user is not a member of the group")
 )