Skip to content

Commit 7acb742

Browse files
EmyrkEmyrk
authored
feat: Prevent role changing on yourself. (#1931)
* feat: Prevent role changing on yourself. Only allow changing roles on other users. Not much value in self changing at the moment
1 parent 4b0ed06 commit 7acb742

File tree

3 files changed

+32
-4
lines changed

3 files changed

+32
-4
lines changed

coderd/members.go

+8
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,14 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
2020
user := httpmw.UserParam(r)
2121
organization := httpmw.OrganizationParam(r)
2222
member := httpmw.OrganizationMemberParam(r)
23+
apiKey := httpmw.APIKey(r)
24+
25+
if apiKey.UserID == member.UserID {
26+
httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
27+
Message: "You cannot change your own organization roles.",
28+
})
29+
return
30+
}
2331

2432
var params codersdk.UpdateRoles
2533
if !httpapi.Read(rw, r, &params) {

coderd/users.go

+8
Original file line numberDiff line numberDiff line change
@@ -474,6 +474,14 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
474474
// User is the user to modify.
475475
user := httpmw.UserParam(r)
476476
roles := httpmw.UserRoles(r)
477+
apiKey := httpmw.APIKey(r)
478+
479+
if apiKey.UserID == user.ID {
480+
httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
481+
Message: "You cannot change your own roles.",
482+
})
483+
return
484+
}
477485

478486
var params codersdk.UpdateRoles
479487
if !httpapi.Read(rw, r, &params) {

coderd/users_test.go

+16-4
Original file line numberDiff line numberDiff line change
@@ -409,11 +409,11 @@ func TestGrantRoles(t *testing.T) {
409409
t.Run("UpdateIncorrectRoles", func(t *testing.T) {
410410
t.Parallel()
411411
ctx := context.Background()
412+
var err error
413+
412414
admin := coderdtest.New(t, nil)
413415
first := coderdtest.CreateFirstUser(t, admin)
414416
member := coderdtest.CreateAnotherUser(t, admin, first.OrganizationID)
415-
memberUser, err := member.User(ctx, codersdk.Me)
416-
require.NoError(t, err, "member user")
417417

418418
_, err = admin.UpdateUserRoles(ctx, codersdk.Me, codersdk.UpdateRoles{
419419
Roles: []string{rbac.RoleOrgMember(first.OrganizationID)},
@@ -445,7 +445,7 @@ func TestGrantRoles(t *testing.T) {
445445
require.Error(t, err, "member cannot change other's roles")
446446
requireStatusCode(t, err, http.StatusForbidden)
447447

448-
_, err = member.UpdateUserRoles(ctx, memberUser.ID.String(), codersdk.UpdateRoles{
448+
_, err = member.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{
449449
Roles: []string{rbac.RoleMember()},
450450
})
451451
require.Error(t, err, "member cannot change any roles")
@@ -456,6 +456,18 @@ func TestGrantRoles(t *testing.T) {
456456
})
457457
require.Error(t, err, "member cannot change other's org roles")
458458
requireStatusCode(t, err, http.StatusForbidden)
459+
460+
_, err = admin.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{
461+
Roles: []string{},
462+
})
463+
require.Error(t, err, "admin cannot change self roles")
464+
requireStatusCode(t, err, http.StatusBadRequest)
465+
466+
_, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, first.UserID.String(), codersdk.UpdateRoles{
467+
Roles: []string{},
468+
})
469+
require.Error(t, err, "admin cannot change self org roles")
470+
requireStatusCode(t, err, http.StatusBadRequest)
459471
})
460472

461473
t.Run("FirstUserRoles", func(t *testing.T) {
@@ -508,7 +520,7 @@ func TestGrantRoles(t *testing.T) {
508520
require.NoError(t, err, "grant member admin role")
509521

510522
// Promote to org admin
511-
_, err = member.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, codersdk.Me, codersdk.UpdateRoles{
523+
_, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, memberUser.ID.String(), codersdk.UpdateRoles{
512524
Roles: []string{
513525
// Promote to org admin
514526
rbac.RoleOrgMember(first.OrganizationID),

0 commit comments

Comments
 (0)