add avatar URL to org member httpmw

coder · johnstcn · Jan 30, 2024 · Jan 29, 2024 · Jan 29, 2024 · Jan 30, 2024
commit e94a0e16c82cb1016c0708ad6981924b4a449c23
diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go
@@ -63,12 +63,13 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 	}
 }
 
-// OrganizationMember is the database object plus the Username. Including the Username in this
-// middleware is preferable to a join at the SQL layer so that we can keep the autogenerated
-// database types as they are.
+// OrganizationMember is the database object plus the Username and Avatar URL. Including these
+// in the middleware is preferable to a join at the SQL layer so that we can keep the
+// autogenerated database types as they are.
 type OrganizationMember struct {
 	database.OrganizationMember
-	Username string
+	Username  string
+	AvatarURL string
 }
 
 // ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter.
@@ -107,14 +108,17 @@ func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.H
 
 			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, OrganizationMember{
 				OrganizationMember: organizationMember,
-				// Here we're making one exception to the rule about not leaking data about the user
-				// to the API handler, which is to include the username.  If the caller has permission
-				// to read the OrganizationMember, then we're explicitly saying here that they also
-				// have permission to see the member's username, which is itself uncontroversial.
+				// Here we're making two exceptions to the rule about not leaking data about the user
+				// to the API handler, which is to include the username and avatar URL.
+				// If the caller has permission to read the OrganizationMember, then we're explicitly
+				// saying here that they also have permission to see the member's username and avatar.
+				// This is OK!
 				//
 				// API handlers need this information for audit logging and returning the owner's
-				// username in response to creating a workspace.
-				Username: user.Username,
+				// username in response to creating a workspace. Additionally, the frontend consumes
+				// the Avatar URL and this allows the FE to avoid an extra request.
+				Username:  user.Username,
+				AvatarURL: user.AvatarURL,
 			})
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})

diff --git a/coderd/httpmw/organizationparam_test.go b/coderd/httpmw/organizationparam_test.go
@@ -8,14 +8,17 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbmem"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/testutil"
 )
 
 func TestOrganizationParam(t *testing.T) {
@@ -139,6 +142,7 @@ func TestOrganizationParam(t *testing.T) {
 	t.Run("Success", func(t *testing.T) {
 		t.Parallel()
 		var (
+			ctx     = testutil.Context(t, testutil.WaitShort)
 			db      = dbmem.New()
 			rw      = httptest.NewRecorder()
 			r, user = setupAuthentication(db)
@@ -148,7 +152,14 @@ func TestOrganizationParam(t *testing.T) {
 		_ = dbgen.OrganizationMember(t, db, database.OrganizationMember{
 			OrganizationID: organization.ID,
 			UserID:         user.ID,
+			Roles:          []string{rbac.RoleOrgMember(organization.ID)},
 		})
+		_, err := db.UpdateUserRoles(ctx, database.UpdateUserRolesParams{
+			ID:           user.ID,
+			GrantedRoles: []string{rbac.RoleTemplateAdmin()},
+		})
+		require.NoError(t, err)
+
 		chi.RouteContext(r.Context()).URLParams.Add("organization", organization.ID.String())
 		chi.RouteContext(r.Context()).URLParams.Add("user", user.ID.String())
 		rtr.Use(
@@ -161,9 +172,27 @@ func TestOrganizationParam(t *testing.T) {
 			httpmw.ExtractOrganizationMemberParam(db),
 		)
 		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
-			_ = httpmw.OrganizationParam(r)
-			_ = httpmw.OrganizationMemberParam(r)
+			org := httpmw.OrganizationParam(r)
+			assert.NotZero(t, org)
+			assert.NotZero(t, org.CreatedAt)
+			// assert.NotZero(t, org.Description) // not supported
+			assert.NotZero(t, org.ID)
+			assert.NotEmpty(t, org.Name)
+			orgMem := httpmw.OrganizationMemberParam(r)
 			rw.WriteHeader(http.StatusOK)
+			assert.NotZero(t, orgMem)
+			assert.NotZero(t, orgMem.CreatedAt)
+			assert.NotZero(t, orgMem.UpdatedAt)
+			assert.Equal(t, org.ID, orgMem.OrganizationID)
+			assert.Equal(t, user.ID, orgMem.UserID)
+			assert.Equal(t, user.Username, orgMem.Username)
+			assert.Equal(t, user.AvatarURL, orgMem.AvatarURL)
+			assert.NotEmpty(t, orgMem.Roles)
+			assert.NotZero(t, orgMem.OrganizationMember)
+			assert.NotEmpty(t, orgMem.OrganizationMember.CreatedAt)
+			assert.NotEmpty(t, orgMem.OrganizationMember.UpdatedAt)
+			assert.NotEmpty(t, orgMem.OrganizationMember.UserID)
+			assert.NotEmpty(t, orgMem.OrganizationMember.Roles)
 		})
 		rtr.ServeHTTP(rw, r)
 		res := rw.Result()