chore: prevent removing members from the default organization (#14094)

* chore: prevent removing members from the default organization Until multi-organizations is released outside an experiment, the experiment should be backwards compatible.
2025-07-15 22:20:27 +00:00 · 2024-08-05 13:48:10 -05:00
parent 173dc0e35f
commit 0ad5f6067d
5 changed files with 131 additions and 78 deletions
--- a/cli/organizationmembers_test.go
+++ b/cli/organizationmembers_test.go
@ -34,49 +34,3 @@ func TestListOrganizationMembers(t *testing.T) {
 		require.Contains(t, buf.String(), owner.UserID.String())
 	})
 }
 func TestRemoveOrganizationMembers(t *testing.T) {
 	t.Parallel()
 	t.Run("OK", func(t *testing.T) {
 		t.Parallel()
 		ownerClient := coderdtest.New(t, &coderdtest.Options{})
 		owner := coderdtest.CreateFirstUser(t, ownerClient)
 		orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
 		_, user := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID)
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		inv, root := clitest.New(t, "organization", "members", "remove", "-O", owner.OrganizationID.String(), user.Username)
 		clitest.SetupConfig(t, orgAdminClient, root)
 		buf := new(bytes.Buffer)
 		inv.Stdout = buf
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 		members, err := orgAdminClient.OrganizationMembers(ctx, owner.OrganizationID)
 		require.NoError(t, err)
 		require.Len(t, members, 2)
 	})
 	t.Run("UserNotExists", func(t *testing.T) {
 		t.Parallel()
 		ownerClient := coderdtest.New(t, &coderdtest.Options{})
 		owner := coderdtest.CreateFirstUser(t, ownerClient)
 		orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		inv, root := clitest.New(t, "organization", "members", "remove", "-O", owner.OrganizationID.String(), "random_name")
 		clitest.SetupConfig(t, orgAdminClient, root)
 		buf := new(bytes.Buffer)
 		inv.Stdout = buf
 		err := inv.WithContext(ctx).Run()
 		require.ErrorContains(t, err, "must be an existing uuid or username")
 	})
 }
--- a/coderd/members.go
+++ b/coderd/members.go
@ -106,6 +106,19 @@ func (api *API) deleteOrganizationMember(rw http.ResponseWriter, r *http.Request
 	aReq.Old = member.OrganizationMember.Auditable(member.Username)
 	defer commitAudit()
 	if organization.IsDefault {
 		// Multi-organizations is currently an experiment, which means it is feasible
 		// for a deployment to enable, then disable this. To maintain backwards
 		// compatibility, this safety is necessary.
 		// TODO: Remove this check when multi-organizations is fully supported.
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message:     "Removing members from the default organization is not supported.",
 			Detail:      "Multi-organizations is currently an experiment, and until it is fully supported, the default org should be protected.",
 			Validations: nil,
 		})
 		return
 	}
 	if member.UserID == apiKey.UserID {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{Message: "cannot remove self from an organization"})
 		return
--- a/coderd/members_test.go
+++ b/coderd/members_test.go
@ -30,6 +30,25 @@ func TestAddMember(t *testing.T) {
 	})
 }
 func TestDeleteMember(t *testing.T) {
 	t.Parallel()
 	t.Run("NotAllowed", func(t *testing.T) {
 		t.Parallel()
 		owner := coderdtest.New(t, nil)
 		first := coderdtest.CreateFirstUser(t, owner)
 		_, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		// Deleting members from the default org is not allowed.
 		// If this behavior changes, and we allow deleting members from the default org,
 		// this test should be updated to check there is no error.
 		// nolint:gocritic // must be an owner to see the user
 		err := owner.DeleteOrganizationMember(ctx, first.OrganizationID, user.Username)
 		require.ErrorContains(t, err, "Multi-organizations is currently an experiment")
 	})
 }
 func TestListMembers(t *testing.T) {
 	t.Parallel()
@ -50,38 +69,6 @@ func TestListMembers(t *testing.T) {
 	})
 }
 func TestRemoveMember(t *testing.T) {
 	t.Parallel()
 	t.Run("OK", func(t *testing.T) {
 		t.Parallel()
 		owner := coderdtest.New(t, nil)
 		first := coderdtest.CreateFirstUser(t, owner)
 		orgAdminClient, orgAdmin := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
 		_, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		// Verify the org of 3 members
 		members, err := orgAdminClient.OrganizationMembers(ctx, first.OrganizationID)
 		require.NoError(t, err)
 		require.Len(t, members, 3)
 		require.ElementsMatch(t,
 			[]uuid.UUID{first.UserID, user.ID, orgAdmin.ID},
 			db2sdk.List(members, onlyIDs))
 		// Delete a member
 		err = orgAdminClient.DeleteOrganizationMember(ctx, first.OrganizationID, user.Username)
 		require.NoError(t, err)
 		members, err = orgAdminClient.OrganizationMembers(ctx, first.OrganizationID)
 		require.NoError(t, err)
 		require.Len(t, members, 2)
 		require.ElementsMatch(t,
 			[]uuid.UUID{first.UserID, orgAdmin.ID},
 			db2sdk.List(members, onlyIDs))
 	})
 }
 func onlyIDs(u codersdk.OrganizationMemberWithUserData) uuid.UUID {
 	return u.UserID
 }
--- a/enterprise/cli/organizationmembers_test.go
+++ b/enterprise/cli/organizationmembers_test.go
@ -15,6 +15,64 @@ import (
 	"github.com/coder/coder/v2/testutil"
 )
 func TestRemoveOrganizationMembers(t *testing.T) {
 	t.Parallel()
 	t.Run("OK", func(t *testing.T) {
 		t.Parallel()
 		dv := coderdtest.DeploymentValues(t)
 		dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
 		ownerClient, _ := coderdenttest.New(t, &coderdenttest.Options{
 			Options: &coderdtest.Options{
 				DeploymentValues: dv,
 			},
 			LicenseOptions: &coderdenttest.LicenseOptions{
 				Features: license.Features{
 					codersdk.FeatureMultipleOrganizations: 1,
 				},
 			},
 		})
 		secondOrganization := coderdenttest.CreateOrganization(t, ownerClient, coderdenttest.CreateOrganizationOptions{})
 		orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, secondOrganization.ID, rbac.ScopedRoleOrgAdmin(secondOrganization.ID))
 		_, user := coderdtest.CreateAnotherUser(t, ownerClient, secondOrganization.ID)
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		inv, root := clitest.New(t, "organization", "members", "remove", "-O", secondOrganization.ID.String(), user.Username)
 		clitest.SetupConfig(t, orgAdminClient, root)
 		buf := new(bytes.Buffer)
 		inv.Stdout = buf
 		err := inv.WithContext(ctx).Run()
 		require.NoError(t, err)
 		members, err := orgAdminClient.OrganizationMembers(ctx, secondOrganization.ID)
 		require.NoError(t, err)
 		require.Len(t, members, 2)
 	})
 	t.Run("UserNotExists", func(t *testing.T) {
 		t.Parallel()
 		ownerClient := coderdtest.New(t, &coderdtest.Options{})
 		owner := coderdtest.CreateFirstUser(t, ownerClient)
 		orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		inv, root := clitest.New(t, "organization", "members", "remove", "-O", owner.OrganizationID.String(), "random_name")
 		clitest.SetupConfig(t, orgAdminClient, root)
 		buf := new(bytes.Buffer)
 		inv.Stdout = buf
 		err := inv.WithContext(ctx).Run()
 		require.ErrorContains(t, err, "must be an existing uuid or username")
 	})
 }
 func TestEnterpriseListOrganizationMembers(t *testing.T) {
 	t.Parallel()
--- a/enterprise/members_test.go
+++ b/enterprise/members_test.go
@ -18,6 +18,47 @@ import (
 func TestEnterpriseMembers(t *testing.T) {
 	t.Parallel()
 	t.Run("Remove", func(t *testing.T) {
 		t.Parallel()
 		dv := coderdtest.DeploymentValues(t)
 		dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
 		owner, first := coderdenttest.New(t, &coderdenttest.Options{
 			Options: &coderdtest.Options{
 				DeploymentValues: dv,
 			},
 			LicenseOptions: &coderdenttest.LicenseOptions{
 				Features: license.Features{
 					codersdk.FeatureMultipleOrganizations: 1,
 				},
 			},
 		})
 		secondOrg := coderdenttest.CreateOrganization(t, owner, coderdenttest.CreateOrganizationOptions{})
 		orgAdminClient, orgAdmin := coderdtest.CreateAnotherUser(t, owner, secondOrg.ID, rbac.ScopedRoleOrgAdmin(secondOrg.ID))
 		_, user := coderdtest.CreateAnotherUser(t, owner, secondOrg.ID)
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		// Verify the org of 3 members
 		members, err := orgAdminClient.OrganizationMembers(ctx, secondOrg.ID)
 		require.NoError(t, err)
 		require.Len(t, members, 3)
 		require.ElementsMatch(t,
 			[]uuid.UUID{first.UserID, user.ID, orgAdmin.ID},
 			db2sdk.List(members, onlyIDs))
 		// Delete a member
 		err = orgAdminClient.DeleteOrganizationMember(ctx, secondOrg.ID, user.Username)
 		require.NoError(t, err)
 		members, err = orgAdminClient.OrganizationMembers(ctx, secondOrg.ID)
 		require.NoError(t, err)
 		require.Len(t, members, 2)
 		require.ElementsMatch(t,
 			[]uuid.UUID{first.UserID, orgAdmin.ID},
 			db2sdk.List(members, onlyIDs))
 	})
 	t.Run("PostUser", func(t *testing.T) {
 		t.Parallel()