fix: No org admins until organizations are in the UI (coder#5414)

Emyrk · web-flow · commit 27386d49d084 · 2022-12-14T11:05:42.000-06:00
* fix: No org admins until organizations are in the UI

Until organizations have management UI, we should not set any org
admins. This goes around the site wide perms transparently and
is confusing to users.

Default user is no longer an org admin, so the demotion test makes
no sense
diff --git a/coderd/database/migrations/000086_no_org_admins.down.sql b/coderd/database/migrations/000086_no_org_admins.down.sql
diff --git a/coderd/database/migrations/000086_no_org_admins.up.sql b/coderd/database/migrations/000086_no_org_admins.up.sql
@@ -0,0 +1,6 @@
+UPDATE 
+  organization_members
+SET 
+  roles = ARRAY [] :: text[]
+WHERE 
+  'organization-admin:'||organization_id = ANY(roles);
diff --git a/coderd/organizations.go b/coderd/organizations.go
@@ -76,7 +76,11 @@ func (api *API) postOrganizations(rw http.ResponseWriter, r *http.Request) {
 			CreatedAt:      database.Now(),
 			UpdatedAt:      database.Now(),
 			Roles: []string{
-				rbac.RoleOrgAdmin(organization.ID),
+				// TODO: When organizations are allowed to be created, we should
+				// come back to determining the default role of the person who
+				// creates the org. Until that happens, all users in an organization
+				// should be just regular members.
+				rbac.RoleOrgMember(organization.ID),
 			},
 		})
 		if err != nil {
diff --git a/coderd/users.go b/coderd/users.go
@@ -1071,7 +1071,11 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 				return xerrors.Errorf("create organization: %w", err)
 			}
 			req.OrganizationID = organization.ID
-			orgRoles = append(orgRoles, rbac.RoleOrgAdmin(req.OrganizationID))
+			// TODO: When organizations are allowed to be created, we should
+			// come back to determining the default role of the person who
+			// creates the org. Until that happens, all users in an organization
+			// should be just regular members.
+			orgRoles = append(orgRoles, rbac.RoleOrgMember(req.OrganizationID))
 
 			_, err = tx.InsertAllUsersGroup(ctx, organization.ID)
 			if err != nil {
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -817,15 +817,6 @@ func TestGrantSiteRoles(t *testing.T) {
 			Error:        true,
 			StatusCode:   http.StatusForbidden,
 		},
-		{
-			Name:         "MemberAssignMember",
-			Client:       member,
-			OrgID:        first.OrganizationID,
-			AssignToUser: first.UserID.String(),
-			Roles:        []string{},
-			Error:        true,
-			StatusCode:   http.StatusForbidden,
-		},
 		{
 			Name:         "AdminUpdateOrgSelf",
 			Client:       admin,
@@ -921,7 +912,7 @@ func TestInitialRoles(t *testing.T) {
 	}, "should be a member and admin")
 
 	require.ElementsMatch(t, roles.OrganizationRoles[first.OrganizationID], []string{
-		rbac.RoleOrgAdmin(first.OrganizationID),
+		rbac.RoleOrgMember(first.OrganizationID),
 	}, "should be a member and admin")
 }
 
