fix rbac

f0ssel · f0ssel · commit d86b9b27a653 · 2022-05-27T16:46:25.000Z
diff --git a/coderd/users.go b/coderd/users.go
@@ -359,7 +359,7 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
 		params codersdk.UpdateUserPasswordRequest
 	)
 
-	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUserData.WithID(user.ID.String())) {
+	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
 		return
 	}
 
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -335,6 +335,16 @@ func TestUpdateUserPassword(t *testing.T) {
 		})
 		require.NoError(t, err, "member should be able to update own password")
 	})
+	t.Run("MemberCantUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		admin := coderdtest.CreateFirstUser(t, client)
+		member := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+		err := member.UpdateUserPassword(context.Background(), "me", codersdk.UpdateUserPasswordRequest{
+			Password: "newpassword",
+		})
+		require.Error(t, err, "member should not be able to update own password without providing old password")
+	})
 	t.Run("AdminCantUpdateOwnPasswordWithoutOldPassword", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)

Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ func (api API) putUserPassword(rw http.ResponseWriter, r http.Request) {`
`359`	`359`	`params codersdk.UpdateUserPasswordRequest`
`360`	`360`	`)`
`361`	`361`
`362`		`- if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUserData.WithID(user.ID.String())) {`
	`362`	`+ if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {`
`363`	`363`	`return`
`364`	`364`	`}`
`365`	`365`