Skip to content

fix: include dormant users in template acl query #14461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Aug 29, 2024
Merged

fix: include dormant users in template acl query #14461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion coderd/database/modelqueries.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ func (q *sqlQuerier) GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]
WHERE
users.deleted = false
AND
users.status = 'active';
users.status != 'suspended';
`

var tus []TemplateUser
Expand Down
40 changes: 40 additions & 0 deletions enterprise/coderd/templates_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1025,6 +1025,46 @@ func TestTemplateACL(t *testing.T) {
require.Len(t, acl.Users, 0, "deleted users should be filtered")
})

// Test that we do not filter dormant users.
t.Run("IncludeDormantUsers", func(t *testing.T) {
t.Parallel()

client, user := coderdenttest.New(t, &coderdenttest.Options{LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureTemplateRBAC: 1,
},
}})
anotherClient, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin())

ctx := testutil.Context(t, testutil.WaitLong)

// nolint:gocritic // Must use owner to create user.
user1, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
Email: "coder@coder.com",
Username: "coder",
Password: "SomeStrongPassword!",
OrganizationIDs: []uuid.UUID{user.OrganizationID},
})
require.NoError(t, err)
require.Equal(t, codersdk.UserStatusDormant, user1.Status)
version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)

err = anotherClient.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
UserPerms: map[string]codersdk.TemplateRole{
user1.ID.String(): codersdk.TemplateRoleUse,
},
})
require.NoError(t, err)

acl, err := anotherClient.TemplateACL(ctx, template.ID)
require.NoError(t, err)
require.Contains(t, acl.Users, codersdk.TemplateUser{
User: user1,
Role: codersdk.TemplateRoleUse,
})
})

// Test that we do not return suspended users.
t.Run("FilterSuspendedUsers", func(t *testing.T) {
Copy link
Member Author

@code-asher code-asher Aug 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we should include suspended users as well? Since the UI is kind of lying about the permissions if a suspended user is there, whether they were added after being suspended or became suspended after the fact. It looks like we explicitly wanted to filter out suspended users so I wanted to hold off to validate if that makes sense first.

Reasoning being:

  1. You can add a suspended user, but then it will just not show up which is confusing (and it does not record in the audit log).
  2. It could cause someone to think a user has no permissions, then if they unsuspend the user "suddenly" they have permissions again.
  3. Someone might know a suspended user had permissions, but when they go to check they cannot see the user and cannot remove the permissions.

But, I am not completely sure about the workflow/use case around suspension so these concerns might be invalid.

Alternatively we could prevent adding suspended users in the first place, and remove all their permissions when they become suspended. More work, but depending on what suspension is meant to be maybe it makes more sense to do it that way.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The UX story around who to show is unclear.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #14486 so we can figure this out at some point

t.Parallel()
Expand Down
Loading