Skip to content

fix: allow group members to read group information #14200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 24 commits into from
Aug 13, 2024
Merged

fix: allow group members to read group information #14200

Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
2c6d037
- allow group members to read basic Group info
hugodutka Aug 6, 2024
2409072
rename ReducedGroup.member_count to ReducedGroup.total_member_count
hugodutka Aug 6, 2024
5391c15
use the reduced groups for user endpoint on the AccountPage
hugodutka Aug 6, 2024
5fcc218
rename UserWithGroupAndOrgID to GroupMemberRBACHelper
hugodutka Aug 7, 2024
2878c21
add the group_members_expanded db view
hugodutka Aug 9, 2024
3aa2a23
add comment on migration
hugodutka Aug 9, 2024
e428d40
rewrite group member queries to use the group_members_expanded view
hugodutka Aug 9, 2024
13ca3a9
add the RBAC ResourceGroupMember and add it to relevant roles
hugodutka Aug 9, 2024
1027d9f
rewrite GetGroupMembersByGroupID permission checks
hugodutka Aug 9, 2024
0aea7f8
- make the GroupMember type contain all user fields
hugodutka Aug 9, 2024
e5c5f3f
simplify RBAC check on group member count
hugodutka Aug 9, 2024
16e95d0
add the MemberTotalCount field to codersdk.Group
hugodutka Aug 9, 2024
d3b4d7c
remove the reduced groups endpoint, revert frontend to use the groups…
hugodutka Aug 9, 2024
b06f943
revert "simplify RBAC check on group member count" - new query didn't…
hugodutka Aug 9, 2024
4a65874
display `group.total_member_count` instead of `group.members.length` …
hugodutka Aug 9, 2024
1f4dcc7
adjust `total_member_count` on `MockGroup`
hugodutka Aug 9, 2024
f1513e0
fixes after rebase
hugodutka Aug 9, 2024
9ef0e0d
simplify RBAC check on GetGroupMembersCountByGroupID
hugodutka Aug 9, 2024
7627933
fix tests
hugodutka Aug 12, 2024
1080b29
resolve lint error
hugodutka Aug 12, 2024
19486da
update the groupsauth test to work with new group member permissions
hugodutka Aug 12, 2024
5373dd7
fix a mistake in test
hugodutka Aug 12, 2024
08646da
make ErrUserDeleted private
hugodutka Aug 13, 2024
4ec6adb
`dbgen.GroupMember` now fails when a supplied user or group doesn't e…
hugodutka Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update the groupsauth test to work with new group member permissions
  • Loading branch information
@hugodutka
hugodutka committed Aug 12, 2024
commit 19486da8d710e772d4309c55869acfdc3a88444d
16 changes: 6 additions & 10 deletions coderd/database/dbauthz/groupsauth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,18 +115,15 @@ func TestGroupsAuth(t *testing.T) {
Name: "GroupMember",
Subject: rbac.Subject{
ID: users[0].ID.String(),
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.ScopedRoleOrgMember(org.ID)}.Expand())),
Roles: rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgMember(org.ID)}.Expand())),
Groups: []string{
group.Name,
group.ID.String(),
},
Scope: rbac.ExpandableScope(rbac.ScopeAll),
},
// TODO: currently group members cannot see their own groups.
// If this is fixed, these booleans should be flipped to true.
ReadGroup: false,
ReadMembers: false,
// TODO: If fixed, they should only be able to see themselves
// MembersExpected: 1,
ReadGroup: true,
ReadMembers: true,
MembersExpected: 1,
},
{
// Org admin in the incorrect organization
Expand Down Expand Up @@ -160,8 +157,7 @@ func TestGroupsAuth(t *testing.T) {
require.NoError(t, err, "member read")
require.Len(t, members, tc.MembersExpected, "member count found does not match")
} else {
require.Error(t, err, "member read")
require.True(t, dbauthz.IsNotAuthorizedError(err), "not authorized error")
require.Len(t, members, 0, "member count is not 0")
}
})
}
Expand Down