fix(orgs): improve org administration (#16747)

[JeremyCloarec]

Proposed changes

• remove ability to modify grantable_groups for org admins

Related issues

• closes fix(orgs): improve org administration #16747

How to test this PR

Checklist

• I consider the submitted work as finished
• I tested the code for its functionality
• I wrote test cases for the relevant use cases (coverage and e2e)
• I added/updated the relevant documentation (either on GitHub or on Notion)
• Where necessary, I refactored code to improve the overall quality

Further comments

[Filigran-Automation]

🤖 [AI-generated]

Hey @JeremyCloarec! 👋 Thanks a lot for opening PR #16755 — really appreciate the contribution to org administration! 🙏

I just had a quick look and I think the description could be enhanced a little to help reviewers get through it faster. I haven't touched your description at all — just a gentle, optional suggestion:

Area	What could help	Suggestion
### How to test this PR	The section is currently empty	Add a couple of concrete steps, e.g. log in as an organization admin, open the members/groups admin view, and confirm the grantable_groups field can no longer be modified (with the expected before/after behaviour).
### Proposed changes	A second, empty bullet (*) is left over	Either fill it with any additional context (the why behind restricting grantable_groups for org admins) or drop the empty bullet.

💡 If helpful, the contribution conventions and the PR template walk through what to include — the test advice especially helps reviewers verify the change quickly.

No rush at all — thanks again for contributing to OpenCTI! 🚀

[Copilot]

Pull request overview

This PR tightens organization administration permissions in the opencti-graphql backend by preventing “organization admin only” users (VIRTUAL_ORGANIZATION_ADMIN without SETTINGS_SET_ACCESSES) from modifying an organization’s grantable_groups via the generic STIX Domain Object field patch path.

Changes:

• Add a guard in stixDomainObjectEditField to reject updates to grantable_groups when the caller is only an organization admin.
• Introduce and use isOnlyOrgaAdmin + ForbiddenAccess to enforce the restriction consistently at the domain layer.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 24.13%. Comparing base (d7a487a) to head (f994550).
⚠️ Report is 8 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #16755      +/-   ##
==========================================
+ Coverage   24.09%   24.13%   +0.04%     
==========================================
  Files        3271     3272       +1     
  Lines      173270   173500     +230     
  Branches    42957    43060     +103     
==========================================
+ Hits        41744    41879     +135     
- Misses     131526   131621      +95     

Flag	Coverage Δ
opencti-client-python	46.30% <ø> (ø)
opencti-front	5.63% <ø> (+0.01%)	⬆️
opencti-graphql	66.75% <100.00%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Archidoit]

why not simply check : !isUserHasCapability(user, SETTINGS_SET_ACCESSES) ?

[JeremyCloarec]

you're right, that's a better fix 👍

[Archidoit]

Suggested change

	if (isOnlyOrgaAdmin(user)) {
	if (!isUserHasCapability(user, SETTINGS_SET_ACCESSES)) {