mirror of
https://github.com/coder/coder.git
synced 2025-07-06 15:41:45 +00:00
fix: User's should be able to read what roles available (#1575)
This commit is contained in:
Steven Masley
GitHub
@ -66,7 +66,8 @@ var (
|
||||
DisplayName: "Member",
|
||||
Site: permissions(map[Object][]Action{
|
||||
// All users can read all other users and know they exist.
|
||||
ResourceUser: {ActionRead},
|
||||
ResourceUser: {ActionRead},
|
||||
ResourceRoleAssignment: {ActionRead},
|
||||
}),
|
||||
User: permissions(map[Object][]Action{
|
||||
ResourceWildcard: {WildcardSymbol},
|
||||
|
||||
@ -34,7 +34,7 @@ func TestRoleByName(t *testing.T) {
|
||||
t.Run(c.Role.Name, func(t *testing.T) {
|
||||
role, err := RoleByName(c.Role.Name)
|
||||
require.NoError(t, err, "role exists")
|
||||
require.Equal(t, c.Role, role)
|
||||
equalRoles(t, c.Role, role)
|
||||
})
|
||||
}
|
||||
})
|
||||
@ -53,3 +53,18 @@ func TestRoleByName(t *testing.T) {
|
||||
require.Error(t, err, "expect orgID")
|
||||
})
|
||||
}
|
||||
|
||||
// SameAs compares 2 roles for equality.
|
||||
func equalRoles(t *testing.T, a, b Role) {
|
||||
require.Equal(t, a.Name, b.Name, "role names")
|
||||
require.Equal(t, a.DisplayName, b.DisplayName, "role display names")
|
||||
require.ElementsMatch(t, a.Site, b.Site, "site permissions")
|
||||
require.ElementsMatch(t, a.User, b.User, "user permissions")
|
||||
require.Equal(t, len(a.Org), len(b.Org), "same number of org roles")
|
||||
|
||||
for ak, av := range a.Org {
|
||||
bv, ok := b.Org[ak]
|
||||
require.True(t, ok, "org permissions missing: %s", ak)
|
||||
require.ElementsMatchf(t, av, bv, "org %s permissions", ak)
|
||||
}
|
||||
}
|
||||
|
||||
@ -112,7 +112,6 @@ func TestListRoles(t *testing.T) {
|
||||
})
|
||||
require.NoError(t, err, "create org")
|
||||
|
||||
const unauth = "forbidden"
|
||||
const notMember = "not a member of the organization"
|
||||
|
||||
testCases := []struct {
|
||||
@ -128,14 +127,14 @@ func TestListRoles(t *testing.T) {
|
||||
x, err := member.ListSiteRoles(ctx)
|
||||
return x, err
|
||||
},
|
||||
AuthorizedError: unauth,
|
||||
ExpectedRoles: convertRoles(rbac.SiteRoles()),
|
||||
},
|
||||
{
|
||||
Name: "OrgMemberListOrg",
|
||||
APICall: func() ([]codersdk.Role, error) {
|
||||
return member.ListOrganizationRoles(ctx, admin.OrganizationID)
|
||||
},
|
||||
AuthorizedError: unauth,
|
||||
ExpectedRoles: convertRoles(rbac.OrganizationRoles(admin.OrganizationID)),
|
||||
},
|
||||
{
|
||||
Name: "NonOrgMemberListOrg",
|
||||
@ -150,7 +149,7 @@ func TestListRoles(t *testing.T) {
|
||||
APICall: func() ([]codersdk.Role, error) {
|
||||
return orgAdmin.ListSiteRoles(ctx)
|
||||
},
|
||||
AuthorizedError: unauth,
|
||||
ExpectedRoles: convertRoles(rbac.SiteRoles()),
|
||||
},
|
||||
{
|
||||
Name: "OrgAdminListOrg",
|
||||
|
||||
Reference in New Issue
Block a user