fix: include dormant users in template acl query

code-asher · code-asher · commit 0c9e3fffd18f · 2024-08-27T14:56:38.000-08:00
The issue is that if you add a user and then immediately go to give them
permissions, you can add them but they will not show up in the UI.  They
also do not show up in the audit log entry.
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
@@ -167,7 +167,7 @@ func (q *sqlQuerier) GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]
 	WHERE
 		users.deleted = false
 	AND
-		users.status = 'active';
+		users.status != 'suspended';
 	`
 
 	var tus []TemplateUser
diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go
@@ -1025,6 +1025,53 @@ func TestTemplateACL(t *testing.T) {
 		require.Len(t, acl.Users, 0, "deleted users should be filtered")
 	})
 
+	// Test that we do not filter dormant users.
+	t.Run("IncludeDormantUsers", func(t *testing.T) {
+		t.Parallel()
+
+		client, user := coderdenttest.New(t, &coderdenttest.Options{LicenseOptions: &coderdenttest.LicenseOptions{
+			Features: license.Features{
+				codersdk.FeatureTemplateRBAC: 1,
+			},
+		}})
+		anotherClient, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin())
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		// nolint:gocritic // Must use owner to create user.
+		user1, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
+			Email:           "coder@coder.com",
+			Username:        "coder",
+			Password:        "SomeStrongPassword!",
+			OrganizationIDs: []uuid.UUID{user.OrganizationID},
+		})
+		require.NoError(t, err)
+		require.Equal(t, codersdk.UserStatusDormant, user1.Status)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		err = anotherClient.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
+			UserPerms: map[string]codersdk.TemplateRole{
+				user1.ID.String(): codersdk.TemplateRoleUse,
+			},
+		})
+		require.NoError(t, err)
+
+		acl, err := anotherClient.TemplateACL(ctx, template.ID)
+		require.NoError(t, err)
+		require.Contains(t, acl.Users, codersdk.TemplateUser{
+			User: user1,
+			Role: codersdk.TemplateRoleUse,
+		})
+
+		_, err = anotherClient.UpdateUserStatus(ctx, user1.ID.String(), codersdk.UserStatusSuspended)
+		require.NoError(t, err)
+
+		acl, err = anotherClient.TemplateACL(ctx, template.ID)
+		require.NoError(t, err)
+		require.Len(t, acl.Users, 0, "suspended users should be filtered")
+	})
+
 	// Test that we do not return suspended users.
 	t.Run("FilterSuspendedUsers", func(t *testing.T) {
 		t.Parallel()

Original file line number	Diff line number	Diff line change
`@@ -167,7 +167,7 @@ func (q *sqlQuerier) GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]`
`167`	`167`	`WHERE`
`168`	`168`	`users.deleted = false`
`169`	`169`	`AND`
`170`		`- users.status = 'active';`
	`170`	`+ users.status != 'suspended';`
`171`	`171`	`
`172`	`172`
`173`	`173`	`var tus []TemplateUser`