Skip to content

Commit be5d045

Browse files
EmyrkEmyrk
committed
Add admin role to the first user
1 parent d2ca5c9 commit be5d045

File tree

5 files changed

+76
-9
lines changed

5 files changed

+76
-9
lines changed

coderd/database/querier.go

+1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries.sql.go

+36-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries/users.sql

+13-2
Original file line numberDiff line numberDiff line change
@@ -33,10 +33,11 @@ INSERT INTO
3333
username,
3434
hashed_password,
3535
created_at,
36-
updated_at
36+
updated_at,
37+
rbac_roles
3738
)
3839
VALUES
39-
($1, $2, $3, $4, $5, $6) RETURNING *;
40+
($1, $2, $3, $4, $5, $6, $7) RETURNING *;
4041

4142
-- name: UpdateUserProfile :one
4243
UPDATE
@@ -48,6 +49,16 @@ SET
4849
WHERE
4950
id = $1 RETURNING *;
5051

52+
-- name: GrantUserRole :one
53+
UPDATE
54+
users
55+
SET
56+
-- Append new roles and remove duplicates just to keep things clean.
57+
rbac_roles = ARRAY(SELECT DISTINCT UNNEST(rbac_roles || @granted_roles :: text[]))
58+
WHERE
59+
id = @id
60+
RETURNING *;
61+
5162
-- name: GetUsers :many
5263
SELECT
5364
*

coderd/rbac/builtin.go

+5-4
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package rbac
22

33
import (
4+
"github.com/google/uuid"
45
"strings"
56

67
"golang.org/x/xerrors"
@@ -30,12 +31,12 @@ func RoleMember() string {
3031
return roleName(member, "")
3132
}
3233

33-
func RoleOrgAdmin(organizationID string) RoleName {
34-
return roleName(orgAdmin, organizationID)
34+
func RoleOrgAdmin(organizationID uuid.UUID) RoleName {
35+
return roleName(orgAdmin, organizationID.String())
3536
}
3637

37-
func RoleOrgMember(organizationID string) RoleName {
38-
return roleName(orgMember, organizationID)
38+
func RoleOrgMember(organizationID uuid.UUID) RoleName {
39+
return roleName(orgMember, organizationID.String())
3940
}
4041

4142
var (

coderd/users.go

+21-1
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ import (
1111
"strconv"
1212
"time"
1313

14+
"github.com/coder/coder/coderd/rbac"
15+
1416
"github.com/go-chi/chi/v5"
1517
"github.com/go-chi/render"
1618
"github.com/google/uuid"
@@ -84,6 +86,21 @@ func (api *api) postFirstUser(rw http.ResponseWriter, r *http.Request) {
8486
return
8587
}
8688

89+
// TODO: @emyrk this currently happens outside the database tx used to create
90+
// the user. Maybe I add this ability to grant roles in the createUser api
91+
// and add some rbac bypass when calling api functions this way??
92+
// Add the admin role to this first user
93+
_, err = api.Database.GrantUserRole(r.Context(), database.GrantUserRoleParams{
94+
GrantedRoles: []string{rbac.RoleAdmin()},
95+
ID: user.ID,
96+
})
97+
if err != nil {
98+
httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
99+
Message: err.Error(),
100+
})
101+
return
102+
}
103+
87104
httpapi.Write(rw, http.StatusCreated, codersdk.CreateFirstUserResponse{
88105
UserID: user.ID,
89106
OrganizationID: organizationID,
@@ -892,6 +909,8 @@ func (api *api) createUser(ctx context.Context, req codersdk.CreateUserRequest)
892909
Username: req.Username,
893910
CreatedAt: database.Now(),
894911
UpdatedAt: database.Now(),
912+
// All new users are defaulted to members of the site.
913+
RbacRoles: []string{rbac.RoleMember()},
895914
}
896915
// If a user signs up with OAuth, they can have no password!
897916
if req.Password != "" {
@@ -927,7 +946,8 @@ func (api *api) createUser(ctx context.Context, req codersdk.CreateUserRequest)
927946
UserID: user.ID,
928947
CreatedAt: database.Now(),
929948
UpdatedAt: database.Now(),
930-
Roles: []string{},
949+
// By default give them membership to the organization
950+
Roles: []string{rbac.RoleOrgMember(req.OrganizationID)},
931951
})
932952
if err != nil {
933953
return xerrors.Errorf("create organization member: %w", err)

0 commit comments

Comments
 (0)