better error checks

api/pkg/auth/internal/native/enforcer.go

@@ -47,6 +47,12 @@ func (n *Enforcer) Enforce(
 	permissionRef, accountRef, organizationRef, objectRef primitive.ObjectID,
 	action model.Action,
 ) (bool, error) {
+	if organizationRef.IsZero() {
+		n.logger.Warn("Missing organization context", mzap.ObjRef("account_ref", accountRef),
+			mzap.ObjRef("organization_ref", organizationRef), mzap.ObjRef("permission_ref", permissionRef),
+			mzap.ObjRef("object", objectRef), zap.String("action", string(action)))
+		return false, merrors.InvalidArgument("organization context missing", "organizationRef")
+	}
 	roleAssignments, err := n.rdb.Roles(ctx, accountRef, organizationRef)
 	if errors.Is(err, merrors.ErrNoData) {
 		n.logger.Debug("No roles defined for account", mzap.ObjRef("account_ref", accountRef))

api/server/interface/accountservice/internal/service.go

@@ -252,8 +252,8 @@ func (s *service) JoinOrganization(
 		AccountRef:      account.ID,
 	}
 	if err := s.roleManager.Assign(ctx, role); err != nil {
-		s.logger.Warn("Failed to assign role to account",
-			zap.Error(err), mzap.StorableRef(account), mzap.StorableRef(org))
+		s.logger.Warn("Failed to assign role to account", zap.Error(err), mzap.StorableRef(account),
+			mzap.StorableRef(org), mzap.ObjRef("role_description_ref", roleDescID))
 		return err
 	}
 	return nil