Skip to content

Commit dc46e3e

Browse files
defelmnqdefelmnq
committed
feat(password): add test for validate auditor use case and change logic
1 parent 22ed129 commit dc46e3e

File tree

2 files changed

+29
-15
lines changed

2 files changed

+29
-15
lines changed

coderd/users.go

Lines changed: 4 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1046,25 +1046,14 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
10461046
return
10471047
}
10481048

1049-
admin, err := api.Database.GetUserByID(ctx, apiKey.UserID)
1050-
if err != nil {
1051-
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
1052-
Message: "Internal error fetching user.",
1053-
Detail: err.Error(),
1054-
})
1055-
return
1056-
}
1057-
1058-
// only admins or owners can change passwords without sending old_password
1059-
if params.OldPassword == "" && (!slice.Contains(admin.RBACRoles, codersdk.RoleUserAdmin) &&
1060-
!slice.Contains(admin.RBACRoles, codersdk.RoleOwner)) {
1049+
// A user need to put its own password to update it
1050+
if apiKey.UserID == user.ID && params.OldPassword == "" {
10611051
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
1062-
Message: "Old password is required for non-admin users.",
1052+
Message: "Old password is required.",
10631053
})
1064-
return
10651054
}
10661055

1067-
err = userpassword.Validate(params.Password)
1056+
err := userpassword.Validate(params.Password)
10681057
if err != nil {
10691058
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
10701059
Message: "Invalid password.",

coderd/users_test.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1057,6 +1057,31 @@ func TestUpdateUserPassword(t *testing.T) {
10571057
require.NoError(t, err, "member should login successfully with the new password")
10581058
})
10591059

1060+
t.Run("AuditorCantUpdateOtherUserPassword", func(t *testing.T) {
1061+
t.Parallel()
1062+
client := coderdtest.New(t, nil)
1063+
owner := coderdtest.CreateFirstUser(t, client)
1064+
1065+
auditor, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.RoleAuditor())
1066+
1067+
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
1068+
defer cancel()
1069+
1070+
member, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
1071+
Email: "coder@coder.com",
1072+
Username: "coder",
1073+
Password: "SomeStrongPassword!",
1074+
OrganizationIDs: []uuid.UUID{owner.OrganizationID},
1075+
})
1076+
require.NoError(t, err, "create member")
1077+
1078+
err = auditor.UpdateUserPassword(ctx, member.ID.String(), codersdk.UpdateUserPasswordRequest{
1079+
Password: "SomeNewStrongPassword!",
1080+
})
1081+
require.Error(t, err, "auditor should not be able to update member password")
1082+
require.ErrorContains(t, err, "unexpected status code 404: Resource not found or you do not have access to this resource")
1083+
})
1084+
10601085
t.Run("MemberCanUpdateOwnPassword", func(t *testing.T) {
10611086
t.Parallel()
10621087
auditor := audit.NewMock()

0 commit comments

Comments
 (0)