Test updates

Emyrk · Emyrk · commit 954f0d277393 · 2024-08-13T12:10:20.000-05:00
diff --git a/coderd/database/dbauthz/customroles_test.go b/coderd/database/dbauthz/customroles_test.go
@@ -98,7 +98,7 @@ func TestInsertCustomRoles(t *testing.T) {
 			org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
 				codersdk.ResourceWorkspace: {codersdk.ActionRead},
 			}),
-			errorContains: "cannot assign both org and site permissions",
+			errorContains: "organization roles specify site or user permissions",
 		},
 		{
 			name:    "invalid-action",
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -342,10 +342,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Identifier:  RoleUserAdmin(),
 		DisplayName: "User Admin",
 		Site: Permissions(map[string][]policy.Action{
-			ResourceAssignRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate},
+			ResourceAssignRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
 			// Need organization assign as well to create users. At present, creating a user
 			// will always assign them to some organization.
-			ResourceAssignOrgRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate},
+			ResourceAssignOrgRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
 			ResourceUser.Type: {
 				policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete,
 				policy.ActionUpdatePersonal, policy.ActionReadPersonal,
@@ -461,7 +461,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
 						// Assign, remove, and read roles in the organization.
-						ResourceAssignOrgRole.Type:      {policy.ActionAssign, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate},
+						ResourceAssignOrgRole.Type:      {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						ResourceGroup.Type:              ResourceGroup.AvailableActions(),
 						ResourceGroupMember.Type:        ResourceGroupMember.AvailableActions(),
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -281,7 +281,7 @@ func TestRolePermissions(t *testing.T) {
 		},
 		{
 			Name:     "CreateCustomRole",
-			Actions:  []policy.Action{policy.ActionCreate},
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate},
 			Resource: rbac.ResourceAssignRole,
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {owner},
@@ -317,7 +317,7 @@ func TestRolePermissions(t *testing.T) {
 		},
 		{
 			Name:     "CreateOrgRoleAssignment",
-			Actions:  []policy.Action{policy.ActionCreate},
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate},
 			Resource: rbac.ResourceAssignOrgRole.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {owner, orgAdmin},

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,7 @@ func TestInsertCustomRoles(t *testing.T) {`
`98`	`98`	`org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`99`	`99`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`100`	`100`	`}),`
`101`		`- errorContains: "cannot assign both org and site permissions",`
	`101`	`+ errorContains: "organization roles specify site or user permissions",`
`102`	`102`	`},`
`103`	`103`	`{`
`104`	`104`	`name: "invalid-action",`