feat: Add some perms to users

Emyrk · Emyrk · commit ff7bd81794a2 · 2022-05-16T08:39:35.000-05:00
diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -64,7 +64,11 @@ var (
 			return Role{
 				Name:        member,
 				DisplayName: "Member",
-				Site:        permissions(map[Object][]Action{}),
+				Site: permissions(map[Object][]Action{
+					// TODO: @emyrk in EE we should restrict this to only certain fields.
+					// All users can read all other users and know they exist.
+					ResourceUser: {ActionRead},
+				}),
 				User: permissions(map[Object][]Action{
 					ResourceWildcard: {WildcardSymbol},
 				}),
@@ -117,11 +121,13 @@ var (
 							// All org members can read the other members in their org.
 							ResourceType: ResourceOrganizationMember.Type,
 							Action:       ActionRead,
+							ResourceID:   "*",
 						},
 						{
 							// All org members can read the organization
 							ResourceType: ResourceOrganization.Type,
 							Action:       ActionRead,
+							ResourceID:   "*",
 						},
 					},
 				},
diff --git a/coderd/users.go b/coderd/users.go
@@ -162,8 +162,6 @@ func (api *api) users(rw http.ResponseWriter, r *http.Request) {
 
 // Creates a new user.
 func (api *api) postUser(rw http.ResponseWriter, r *http.Request) {
-	apiKey := httpmw.APIKey(r)
-
 	// Create the user on the site
 	if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceUser) {
 		return
@@ -199,7 +197,7 @@ func (api *api) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	organization, err := api.Database.GetOrganizationByID(r.Context(), createUser.OrganizationID)
+	_, err = api.Database.GetOrganizationByID(r.Context(), createUser.OrganizationID)
 	if errors.Is(err, sql.ErrNoRows) {
 		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
 			Message: "organization does not exist with the provided id",
@@ -212,23 +210,6 @@ func (api *api) postUser(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-	// Check if the caller has permissions to the organization requested.
-	_, err = api.Database.GetOrganizationMemberByUserID(r.Context(), database.GetOrganizationMemberByUserIDParams{
-		OrganizationID: organization.ID,
-		UserID:         apiKey.UserID,
-	})
-	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
-			Message: "you are not authorized to add members to that organization",
-		})
-		return
-	}
-	if err != nil {
-		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
-			Message: fmt.Sprintf("get organization member: %s", err),
-		})
-		return
-	}
 
 	user, _, err := api.createUser(r.Context(), createUser)
 	if err != nil {
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -172,13 +172,14 @@ func TestPostUsers(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
 		first := coderdtest.CreateFirstUser(t, client)
+		notInOrg := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
 		other := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
 		org, err := other.CreateOrganization(context.Background(), codersdk.Me, codersdk.CreateOrganizationRequest{
 			Name: "another",
 		})
 		require.NoError(t, err)
 
-		_, err = client.CreateUser(context.Background(), codersdk.CreateUserRequest{
+		_, err = notInOrg.CreateUser(context.Background(), codersdk.CreateUserRequest{
 			Email:          "some@domain.com",
 			Username:       "anotheruser",
 			Password:       "testing",
@@ -582,7 +583,8 @@ func TestOrganizationByUserAndName(t *testing.T) {
 		_, err := client.OrganizationByName(context.Background(), codersdk.Me, "nothing")
 		var apiErr *codersdk.Error
 		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+		// Returns unauthorized to not leak if the org exists or not
+		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
 	})
 
 	t.Run("NoMember", func(t *testing.T) {
diff --git a/codersdk/roles.go b/codersdk/roles.go
@@ -32,7 +32,7 @@ func (c *Client) ListSiteRoles(ctx context.Context) ([]Role, error) {
 // ListOrganizationRoles lists all available roles for a given organization.
 // This is not user specific.
 func (c *Client) ListOrganizationRoles(ctx context.Context, org uuid.UUID) ([]Role, error) {
-	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/organizations/%s/members/roles/", org.String()), nil)
+	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/organizations/%s/members/roles", org.String()), nil)
 	if err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ func (c *Client) ListSiteRoles(ctx context.Context) ([]Role, error) {`
`32`	`32`	`// ListOrganizationRoles lists all available roles for a given organization.`
`33`	`33`	`// This is not user specific.`
`34`	`34`	`func (c *Client) ListOrganizationRoles(ctx context.Context, org uuid.UUID) ([]Role, error) {`
`35`		`- res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/organizations/%s/members/roles/", org.String()), nil)`
	`35`	`+ res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/organizations/%s/members/roles", org.String()), nil)`
`36`	`36`	`if err != nil {`
`37`	`37`	`return nil, err`
`38`	`38`	`}`