Skip to content

Commit ddd147d

Browse files
EmyrkEmyrk
committed
Fix perms unit tests
1 parent 82ceab8 commit ddd147d

File tree

3 files changed

+17
-14
lines changed

3 files changed

+17
-14
lines changed

coderd/database/modelmethods.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -194,7 +194,8 @@ func (w Workspace) LockedRBAC() rbac.Object {
194194
func (m OrganizationMember) RBACObject() rbac.Object {
195195
return rbac.ResourceOrganizationMember.
196196
WithID(m.UserID).
197-
InOrg(m.OrganizationID)
197+
InOrg(m.OrganizationID).
198+
WithOwner(m.UserID.String())
198199
}
199200

200201
func (m GetOrganizationIDsByMemberIDsRow) RBACObject() rbac.Object {

coderd/rbac/roles.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
150150
ResourceProvisionerDaemon.Type: {ActionRead},
151151
}),
152152
Org: map[string][]Permission{},
153-
User: append(allPermsExcept(ResourceWorkspaceLocked, ResourceUser),
153+
User: append(allPermsExcept(ResourceWorkspaceLocked, ResourceUser, ResourceOrganizationMember),
154154
Permissions(map[string][]Action{
155155
// Users cannot do create/update/delete on themselves, but they
156156
// can read their own details.
@@ -206,9 +206,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
206206
// Full perms to manage org members
207207
ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
208208
ResourceGroup.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
209-
210-
// Org roles are not really used yet, so grant the perm at the site level.
211-
ResourceOrganizationMember.Type: {ActionRead},
212209
}),
213210
Org: map[string][]Permission{},
214211
User: []Permission{},
@@ -276,7 +273,12 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
276273
},
277274
},
278275
},
279-
User: []Permission{},
276+
User: []Permission{
277+
{
278+
ResourceType: ResourceOrganizationMember.Type,
279+
Action: ActionRead,
280+
},
281+
},
280282
}
281283
},
282284
}

coderd/rbac/roles_test.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -108,8 +108,8 @@ func TestRolePermissions(t *testing.T) {
108108
Actions: []rbac.Action{rbac.ActionRead},
109109
Resource: rbac.ResourceUserObject(currentUser),
110110
AuthorizeMap: map[bool][]authSubject{
111-
true: {owner, memberMe, orgMemberMe, orgAdmin, otherOrgMember, otherOrgAdmin, templateAdmin, userAdmin},
112-
false: {},
111+
true: {orgMemberMe, owner, memberMe, templateAdmin, userAdmin},
112+
false: {otherOrgMember, otherOrgAdmin, orgAdmin},
113113
},
114114
},
115115
{
@@ -281,7 +281,7 @@ func TestRolePermissions(t *testing.T) {
281281
{
282282
Name: "ManageOrgMember",
283283
Actions: []rbac.Action{rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
284-
Resource: rbac.ResourceOrganizationMember.WithID(currentUser).InOrg(orgID),
284+
Resource: rbac.ResourceOrganizationMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),
285285
AuthorizeMap: map[bool][]authSubject{
286286
true: {owner, orgAdmin, userAdmin},
287287
false: {orgMemberMe, memberMe, otherOrgAdmin, otherOrgMember, templateAdmin},
@@ -290,10 +290,10 @@ func TestRolePermissions(t *testing.T) {
290290
{
291291
Name: "ReadOrgMember",
292292
Actions: []rbac.Action{rbac.ActionRead},
293-
Resource: rbac.ResourceOrganizationMember.WithID(currentUser).InOrg(orgID),
293+
Resource: rbac.ResourceOrganizationMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),
294294
AuthorizeMap: map[bool][]authSubject{
295-
true: {owner, orgAdmin, orgMemberMe, userAdmin},
296-
false: {memberMe, otherOrgAdmin, otherOrgMember, templateAdmin},
295+
true: {owner, orgAdmin, userAdmin, orgMemberMe, templateAdmin},
296+
false: {memberMe, otherOrgAdmin, otherOrgMember},
297297
},
298298
},
299299
{
@@ -314,8 +314,8 @@ func TestRolePermissions(t *testing.T) {
314314
Actions: []rbac.Action{rbac.ActionRead},
315315
Resource: rbac.ResourceGroup.WithID(groupID).InOrg(orgID),
316316
AuthorizeMap: map[bool][]authSubject{
317-
true: {owner, orgAdmin, userAdmin, orgMemberMe},
318-
false: {memberMe, otherOrgAdmin, otherOrgMember, templateAdmin},
317+
true: {owner, orgAdmin, userAdmin, templateAdmin},
318+
false: {memberMe, otherOrgAdmin, orgMemberMe, otherOrgMember},
319319
},
320320
},
321321
{

0 commit comments

Comments
 (0)