Add auditor role permission

dannykopping · dannykopping · commit d24bf8890eae · 2024-07-31T14:46:43.000+02:00
Signed-off-by: Danny Kopping &lt;danny@coder.com&gt;
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -439,7 +439,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
-						ResourceAuditLog.Type: {policy.ActionRead},
+						ResourceAuditLog.Type:   {policy.ActionRead},
+						ResourceFrobulator.Type: {policy.ActionRead},
 					}),
 				},
 				User: []Permission{},
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -591,17 +591,30 @@ func TestRolePermissions(t *testing.T) {
 			},
 		},
 		{
-			// Users should be able to CRUD their own frobulators
-			// Admins from the current organization should be able to CRUD any other user's frobulators
-			// Owner should be able to CRUD any other user's frobulators
-			Name:     "Frobulators",
-			Actions:  []policy.Action{policy.ActionRead, policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+			// Users should be able to modify their own frobulators
+			// Admins from the current organization should be able to modify any other user's frobulators
+			// Owner should be able to modify any other user's frobulators
+			Name:     "FrobulatorsModify",
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 			Resource: rbac.ResourceFrobulator.WithOwner(currentUser.String()).InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {orgMemberMe, orgAdmin, owner},
 				false: {setOtherOrg, memberMe, templateAdmin, userAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
 			},
 		},
+		{
+			// Users should be able to read their own frobulators
+			// Admins from the current organization should be able to read any other user's frobulators
+			// Auditors should be able to read any other user's frobulators
+			// Owner should be able to read any other user's frobulators
+			Name:     "FrobulatorsReadOnly",
+			Actions:  []policy.Action{policy.ActionRead},
+			Resource: rbac.ResourceFrobulator.WithOwner(currentUser.String()).InOrg(orgID),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true:  {orgMemberMe, orgAdmin, owner, orgAuditor},
+				false: {setOtherOrg, memberMe, templateAdmin, userAdmin, orgTemplateAdmin, orgUserAdmin},
+			},
+		},
 		{
 			// Owner should be able to CRUD any other user's frobulators
 			Name:     "FrobulatorsAnyUser",
@@ -613,14 +626,15 @@ func TestRolePermissions(t *testing.T) {
 			},
 		},
 		{
-			// Admins from the current organization should be able to CRUD any other user's frobulators
-			// Owner should be able to CRUD any other user's frobulators
-			Name:     "FrobulatorsAnyUserInOrg",
-			Actions:  []policy.Action{policy.ActionRead, policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+			// Admins from the current organization should be able to read any other user's frobulators
+			// Auditors should be able to read any other user's frobulators
+			// Owner should be able to read any other user's frobulators
+			Name:     "FrobulatorsReadAnyUserInOrg",
+			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceFrobulator.InOrg(orgID).WithOwner(uuid.New().String()), // read frobulators of any user
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin},
-				false: {memberMe, orgMemberMe, setOtherOrg, templateAdmin, userAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
+				true:  {owner, orgAdmin, orgAuditor},
+				false: {memberMe, orgMemberMe, setOtherOrg, templateAdmin, userAdmin, orgTemplateAdmin, orgUserAdmin},
 			},
 		},
 		// AnyOrganization tests
