Drop update User auth check from assign roles

Emyrk · Emyrk · commit 7ad069ee5b82 · 2022-05-16T18:47:03.000-05:00
diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -143,6 +143,9 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			AssertObject: rbac.ResourceWorkspace.InOrg(organization.ID).WithID(workspace.ID.String()).WithOwner(workspace.OwnerID.String()),
 		},
 		"GET:/api/v2/organizations/{organization}/workspaces": {StatusCode: http.StatusOK, AssertObject: rbac.ResourceWorkspace},
+
+		// These endpoints need payloads to get to the auth part.
+		"PUT:/api/v2/users/{user}/roles": {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 	}
 
 	c, _ := srv.Config.Handler.(*chi.Mux)
diff --git a/coderd/users.go b/coderd/users.go
@@ -430,10 +430,6 @@ func (api *api) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 	roles := httpmw.UserRoles(r)
 
-	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithOwner(user.ID.String())) {
-		return
-	}
-
 	var params codersdk.UpdateRoles
 	if !httpapi.Read(rw, r, &params) {
 		return

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,9 @@ func TestAuthorizeAllEndpoints(t *testing.T) {`
`143`	`143`	`AssertObject: rbac.ResourceWorkspace.InOrg(organization.ID).WithID(workspace.ID.String()).WithOwner(workspace.OwnerID.String()),`
`144`	`144`	`},`
`145`	`145`	`"GET:/api/v2/organizations/{organization}/workspaces": {StatusCode: http.StatusOK, AssertObject: rbac.ResourceWorkspace},`
	`146`	`+`
	`147`	`+ // These endpoints need payloads to get to the auth part.`
	`148`	`+ "PUT:/api/v2/users/{user}/roles": {StatusCode: http.StatusBadRequest, NoAuthorize: true},`
`146`	`149`	`}`
`147`	`150`
`148`	`151`	`c, _ := srv.Config.Handler.(*chi.Mux)`