@@ -43,6 +43,33 @@ func dbauthzAuthorizationContext(m dsl.Matcher) {
4343 Report ("Using '$f' is dangerous and should be accompanied by a comment explaining why it's ok and a nolint." )
4444}
4545
46+ // testingWithOwnerUser is a lint rule that detects potential permission bugs.
47+ // Calling CreateFirstUser in a test is fine, but we should avoid
48+ // using the the methods of the client passed to it.
49+ // However, using it in coderdtest.* methods is generally OK since
50+ // these are used to setup the test environment.
51+ //
52+ // Similarly, calling clitest.SetupConfig with a client authenticated
53+ // as the Owner user can be a problem, since the CLI will be operating
54+ // as the owner user and we may miss permission bugs.
55+ //
56+ //nolint:unused,deadcode,varnamelen
57+ func testingWithOwnerUser (m dsl.Matcher ) {
58+ m .Import ("testing" )
59+ m .Import ("github.com/coder/coder/v2/cli/clitest" )
60+
61+ m .Match (`
62+ $_ := coderdtest.CreateFirstUser($t, $client)
63+ $*_
64+ clitest.$SetupConfig($t, $client, $_)
65+ ` ).
66+ Where (m ["t" ].Type .Implements ("testing.TB" ) &&
67+ m ["SetupConfig" ].Text .Matches ("^SetupConfig$" ) &&
68+ m .File ().Name .Matches (`_test\.go$` )).
69+ At (m ["SetupConfig" ]).
70+ Report (`The CLI will be operating as the owner user, which has unrestricted permissions. Consider creating a different user.` )
71+ }
72+
4673// Use xerrors everywhere! It provides additional stacktrace info!
4774//
4875//nolint:unused,deadcode,varnamelen
0 commit comments