diff --git a/coderd/members.go b/coderd/members.go index 78f44294ae87f..68767658079f4 100644 --- a/coderd/members.go +++ b/coderd/members.go @@ -20,6 +20,14 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) { user := httpmw.UserParam(r) organization := httpmw.OrganizationParam(r) member := httpmw.OrganizationMemberParam(r) + apiKey := httpmw.APIKey(r) + + if apiKey.UserID == member.UserID { + httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{ + Message: "You cannot change your own organization roles.", + }) + return + } var params codersdk.UpdateRoles if !httpapi.Read(rw, r, ¶ms) { diff --git a/coderd/users.go b/coderd/users.go index b8c91f5778d7e..7769a67d53fdc 100644 --- a/coderd/users.go +++ b/coderd/users.go @@ -474,6 +474,14 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) { // User is the user to modify. user := httpmw.UserParam(r) roles := httpmw.UserRoles(r) + apiKey := httpmw.APIKey(r) + + if apiKey.UserID == user.ID { + httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{ + Message: "You cannot change your own roles.", + }) + return + } var params codersdk.UpdateRoles if !httpapi.Read(rw, r, ¶ms) { diff --git a/coderd/users_test.go b/coderd/users_test.go index 6d48f4f2320d8..66ddb7ce6b771 100644 --- a/coderd/users_test.go +++ b/coderd/users_test.go @@ -409,11 +409,11 @@ func TestGrantRoles(t *testing.T) { t.Run("UpdateIncorrectRoles", func(t *testing.T) { t.Parallel() ctx := context.Background() + var err error + admin := coderdtest.New(t, nil) first := coderdtest.CreateFirstUser(t, admin) member := coderdtest.CreateAnotherUser(t, admin, first.OrganizationID) - memberUser, err := member.User(ctx, codersdk.Me) - require.NoError(t, err, "member user") _, err = admin.UpdateUserRoles(ctx, codersdk.Me, codersdk.UpdateRoles{ Roles: []string{rbac.RoleOrgMember(first.OrganizationID)}, @@ -445,7 +445,7 @@ func TestGrantRoles(t *testing.T) { require.Error(t, err, "member cannot change other's roles") requireStatusCode(t, err, http.StatusForbidden) - _, err = member.UpdateUserRoles(ctx, memberUser.ID.String(), codersdk.UpdateRoles{ + _, err = member.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{ Roles: []string{rbac.RoleMember()}, }) require.Error(t, err, "member cannot change any roles") @@ -456,6 +456,18 @@ func TestGrantRoles(t *testing.T) { }) require.Error(t, err, "member cannot change other's org roles") requireStatusCode(t, err, http.StatusForbidden) + + _, err = admin.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{ + Roles: []string{}, + }) + require.Error(t, err, "admin cannot change self roles") + requireStatusCode(t, err, http.StatusBadRequest) + + _, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, first.UserID.String(), codersdk.UpdateRoles{ + Roles: []string{}, + }) + require.Error(t, err, "admin cannot change self org roles") + requireStatusCode(t, err, http.StatusBadRequest) }) t.Run("FirstUserRoles", func(t *testing.T) { @@ -508,7 +520,7 @@ func TestGrantRoles(t *testing.T) { require.NoError(t, err, "grant member admin role") // Promote to org admin - _, err = member.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, codersdk.Me, codersdk.UpdateRoles{ + _, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, memberUser.ID.String(), codersdk.UpdateRoles{ Roles: []string{ // Promote to org admin rbac.RoleOrgMember(first.OrganizationID),