@@ -691,13 +691,14 @@ func TestRolePermissions(t *testing.T) {
691691 },
692692 },
693693 {
694- // Owner should be able to CRUD any other user's frobulators
695- Name : "FrobulatorsAnyUser" ,
696- Actions : []policy.Action {policy .ActionRead , policy .ActionCreate , policy .ActionUpdate , policy .ActionDelete },
697- Resource : rbac .ResourceFrobulator .WithOwner (uuid .New ().String ()), // read frobulators of any user
694+ // Owner should be able to modify any other user's frobulators in their own org
695+ // Org admin should be able to modify any other user's frobulators in their own org
696+ Name : "FrobulatorsModifyAnyUser" ,
697+ Actions : []policy.Action {policy .ActionCreate , policy .ActionUpdate , policy .ActionDelete },
698+ Resource : rbac .ResourceFrobulator .WithOwner (uuid .New ().String ()).InOrg (orgID ), // read frobulators of any user
698699 AuthorizeMap : map [bool ][]hasAuthSubjects {
699- true : {owner },
700- false : {memberMe , orgMemberMe , orgAdmin , setOtherOrg , templateAdmin , userAdmin , orgTemplateAdmin , orgUserAdmin , orgAuditor },
700+ true : {owner , orgAdmin },
701+ false : {memberMe , orgMemberMe , setOtherOrg , templateAdmin , userAdmin , orgTemplateAdmin , orgUserAdmin , orgAuditor },
701702 },
702703 },
703704 {
@@ -706,7 +707,7 @@ func TestRolePermissions(t *testing.T) {
706707 // Owner should be able to read any other user's frobulators
707708 Name : "FrobulatorsReadAnyUserInOrg" ,
708709 Actions : []policy.Action {policy .ActionRead },
709- Resource : rbac .ResourceFrobulator .InOrg ( orgID ). WithOwner (uuid .New ().String ()), // read frobulators of any user
710+ Resource : rbac .ResourceFrobulator .WithOwner (uuid .New ().String ()). InOrg ( orgID ), // read frobulators of any user
710711 AuthorizeMap : map [bool ][]hasAuthSubjects {
711712 true : {owner , orgAdmin , orgAuditor },
712713 false : {memberMe , orgMemberMe , setOtherOrg , templateAdmin , userAdmin , orgTemplateAdmin , orgUserAdmin },
0 commit comments