From d48e08e9d2aba81f397899edfc051e37aef050b3 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Wed, 11 Jun 2025 17:35:22 +0100 Subject: [PATCH 1/3] fix(enterprise/coderd): skip org membership check for prebuilds user on group patch --- enterprise/coderd/groups.go | 7 +++++++ enterprise/coderd/groups_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/enterprise/coderd/groups.go b/enterprise/coderd/groups.go index cfe5d081271e3..862761a52cd29 100644 --- a/enterprise/coderd/groups.go +++ b/enterprise/coderd/groups.go @@ -14,6 +14,7 @@ import ( "github.com/coder/coder/v2/coderd/database/db2sdk" "github.com/coder/coder/v2/coderd/httpapi" "github.com/coder/coder/v2/coderd/httpmw" + "github.com/coder/coder/v2/coderd/prebuilds" "github.com/coder/coder/v2/codersdk" ) @@ -171,6 +172,12 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) { }) return } + // Skip membership checks for the prebuilds user. There is a valid use case + // for adding the prebuilds user to a single group: in order to set a quota + // allowance specifically for prebuilds. + if id == prebuilds.SystemUserID.String() { + continue + } _, err := database.ExpectOne(api.Database.OrganizationMembers(ctx, database.OrganizationMembersParams{ OrganizationID: group.OrganizationID, UserID: uuid.MustParse(id), diff --git a/enterprise/coderd/groups_test.go b/enterprise/coderd/groups_test.go index f87a9193f5fa4..64589e83c28b2 100644 --- a/enterprise/coderd/groups_test.go +++ b/enterprise/coderd/groups_test.go @@ -463,6 +463,32 @@ func TestPatchGroup(t *testing.T) { require.Equal(t, http.StatusBadRequest, cerr.StatusCode()) }) + // For quotas to work with prebuilds, it's currently required to add the + // prebuilds user into a group with a quota allowance. + // See: docs/admin/templates/extending-templates/prebuilt-workspaces.md + t.Run("PrebuildsUser", func(t *testing.T) { + t.Parallel() + + client, user := coderdenttest.New(t, &coderdenttest.Options{LicenseOptions: &coderdenttest.LicenseOptions{ + Features: license.Features{ + codersdk.FeatureTemplateRBAC: 1, + }, + }}) + userAdminClient, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleUserAdmin()) + ctx := testutil.Context(t, testutil.WaitLong) + group, err := userAdminClient.CreateGroup(ctx, user.OrganizationID, codersdk.CreateGroupRequest{ + Name: "prebuilds", + QuotaAllowance: 123, + }) + require.NoError(t, err) + + group, err = userAdminClient.PatchGroup(ctx, group.ID, codersdk.PatchGroupRequest{ + Name: "prebuilds", + AddUsers: []string{prebuilds.SystemUserID.String()}, + }) + require.NoError(t, err) + }) + t.Run("Everyone", func(t *testing.T) { t.Parallel() t.Run("NoUpdateName", func(t *testing.T) { From 19dda7cf9d15e0d051619c58b295066520d8f085 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Mon, 23 Jun 2025 09:46:54 +0100 Subject: [PATCH 2/3] fixup! fix(enterprise/coderd): skip org membership check for prebuilds user on group patch --- enterprise/coderd/groups.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/enterprise/coderd/groups.go b/enterprise/coderd/groups.go index 862761a52cd29..89671e00bd65c 100644 --- a/enterprise/coderd/groups.go +++ b/enterprise/coderd/groups.go @@ -14,7 +14,6 @@ import ( "github.com/coder/coder/v2/coderd/database/db2sdk" "github.com/coder/coder/v2/coderd/httpapi" "github.com/coder/coder/v2/coderd/httpmw" - "github.com/coder/coder/v2/coderd/prebuilds" "github.com/coder/coder/v2/codersdk" ) @@ -175,7 +174,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) { // Skip membership checks for the prebuilds user. There is a valid use case // for adding the prebuilds user to a single group: in order to set a quota // allowance specifically for prebuilds. - if id == prebuilds.SystemUserID.String() { + if id == database.PrebuildsSystemUserID.String() { continue } _, err := database.ExpectOne(api.Database.OrganizationMembers(ctx, database.OrganizationMembersParams{ From d8c770be092f8f9cad07b0a59984868eac7531f9 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Mon, 23 Jun 2025 09:53:28 +0100 Subject: [PATCH 3/3] fixup! fixup! fix(enterprise/coderd): skip org membership check for prebuilds user on group patch --- enterprise/coderd/groups_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enterprise/coderd/groups_test.go b/enterprise/coderd/groups_test.go index 64589e83c28b2..568825adcd0ea 100644 --- a/enterprise/coderd/groups_test.go +++ b/enterprise/coderd/groups_test.go @@ -484,7 +484,7 @@ func TestPatchGroup(t *testing.T) { group, err = userAdminClient.PatchGroup(ctx, group.ID, codersdk.PatchGroupRequest{ Name: "prebuilds", - AddUsers: []string{prebuilds.SystemUserID.String()}, + AddUsers: []string{database.PrebuildsSystemUserID.String()}, }) require.NoError(t, err) })