Skip to content

Commit b055f12

Browse files
EmyrkEmyrk
committed
add unit test to verify auditor create workspace behavior
1 parent 343c70d commit b055f12

File tree

1 file changed

+45
-0
lines changed

1 file changed

+45
-0
lines changed

enterprise/coderd/workspaces_test.go

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -191,6 +191,51 @@ func TestCreateWorkspace(t *testing.T) {
191191
require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
192192
require.Contains(t, apiErr.Message, "doesn't exist")
193193
})
194+
195+
// Auditors cannot "use" templates, they can only read them.
196+
t.Run("Auditor", func(t *testing.T) {
197+
t.Parallel()
198+
199+
owner, first := coderdenttest.New(t, &coderdenttest.Options{
200+
Options: &coderdtest.Options{
201+
IncludeProvisionerDaemon: true,
202+
},
203+
LicenseOptions: &coderdenttest.LicenseOptions{
204+
Features: license.Features{
205+
codersdk.FeatureTemplateRBAC: 1,
206+
codersdk.FeatureMultipleOrganizations: 1,
207+
},
208+
},
209+
})
210+
211+
// A member of the org as an auditor
212+
auditor, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.RoleAuditor())
213+
214+
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
215+
defer cancel()
216+
217+
// Given: a template with a version without the "use" permission on everyone
218+
version := coderdtest.CreateTemplateVersion(t, owner, first.OrganizationID, nil)
219+
_ = coderdtest.AwaitTemplateVersionJobCompleted(t, owner, version.ID)
220+
template := coderdtest.CreateTemplate(t, owner, first.OrganizationID, version.ID)
221+
err := owner.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
222+
UserPerms: nil,
223+
GroupPerms: map[string]codersdk.TemplateRole{
224+
first.OrganizationID.String(): codersdk.TemplateRoleDeleted,
225+
},
226+
})
227+
require.NoError(t, err)
228+
229+
_, err = auditor.CreateUserWorkspace(ctx, codersdk.Me, codersdk.CreateWorkspaceRequest{
230+
TemplateID: template.ID,
231+
Name: "workspace",
232+
})
233+
require.Error(t, err)
234+
var apiErr *codersdk.Error
235+
require.ErrorAs(t, err, &apiErr)
236+
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
237+
require.Contains(t, apiErr.Message, "Unauthorized access to use the template")
238+
})
194239
}
195240

196241
func TestCreateUserWorkspace(t *testing.T) {

0 commit comments

Comments
 (0)