Skip to content

Commit a3f3837

Browse files
EmyrkEmyrk
committed
add role perm assertions
1 parent 41148d9 commit a3f3837

File tree

1 file changed

+14
-3
lines changed

1 file changed

+14
-3
lines changed

coderd/rbac/roles_test.go

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,7 @@ func TestRolePermissions(t *testing.T) {
112112
// Subjects to user
113113
memberMe := authSubject{Name: "member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember()}}}
114114
orgMemberMe := authSubject{Name: "org_member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgMember(orgID)}}}
115+
orgMemberMeBanWorkspace := authSubject{Name: "org_member_me_workspace_ban", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgMember(orgID), rbac.ScopedRoleOrgWorkspaceCreationBan(orgID)}}}
115116
groupMemberMe := authSubject{Name: "group_member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgMember(orgID)}, Groups: []string{groupID.String()}}}
116117

117118
owner := authSubject{Name: "owner", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleOwner()}}}
@@ -181,20 +182,30 @@ func TestRolePermissions(t *testing.T) {
181182
Actions: []policy.Action{policy.ActionRead},
182183
Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
183184
AuthorizeMap: map[bool][]hasAuthSubjects{
184-
true: {owner, orgMemberMe, orgAdmin, templateAdmin, orgTemplateAdmin},
185+
true: {owner, orgMemberMe, orgAdmin, templateAdmin, orgTemplateAdmin, orgMemberMeBanWorkspace},
185186
false: {setOtherOrg, memberMe, userAdmin, orgAuditor, orgUserAdmin},
186187
},
187188
},
188189
{
189-
Name: "C_RDMyWorkspaceInOrg",
190+
Name: "UpdateMyWorkspaceInOrg",
190191
// When creating the WithID won't be set, but it does not change the result.
191-
Actions: []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
192+
Actions: []policy.Action{policy.ActionUpdate},
192193
Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
193194
AuthorizeMap: map[bool][]hasAuthSubjects{
194195
true: {owner, orgMemberMe, orgAdmin},
195196
false: {setOtherOrg, memberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
196197
},
197198
},
199+
{
200+
Name: "C__DMyWorkspaceInOrg",
201+
// When creating the WithID won't be set, but it does not change the result.
202+
Actions: []policy.Action{policy.ActionCreate, policy.ActionDelete},
203+
Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
204+
AuthorizeMap: map[bool][]hasAuthSubjects{
205+
true: {owner, orgMemberMe, orgAdmin},
206+
false: {setOtherOrg, memberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor, orgMemberMeBanWorkspace},
207+
},
208+
},
198209
{
199210
Name: "MyWorkspaceInOrgExecution",
200211
// When creating the WithID won't be set, but it does not change the result.

0 commit comments

Comments
 (0)