synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-09 11:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: User's should be able to read what roles available (#1575)

Browse Source
This commit is contained in:
Steven Masley
2022-05-18 15:47:43 -05:00
committed by GitHub
parent 8bd1abee33
commit 2638c274cb
3 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
coderd/rbac/builtin.go
View File

@ -67,6 +67,7 @@ var (
Site: permissions(map[Object][]Action{ Site: permissions(map[Object][]Action{
// All users can read all other users and know they exist. // All users can read all other users and know they exist.
ResourceUser: {ActionRead}, ResourceUser: {ActionRead},
ResourceRoleAssignment: {ActionRead},
}), }),
User: permissions(map[Object][]Action{ User: permissions(map[Object][]Action{
ResourceWildcard: {WildcardSymbol}, ResourceWildcard: {WildcardSymbol},

17
coderd/rbac/builtin_internal_test.go
View File

@ -34,7 +34,7 @@ func TestRoleByName(t *testing.T) {
t.Run(c.Role.Name, func(t *testing.T) { t.Run(c.Role.Name, func(t *testing.T) {
role, err := RoleByName(c.Role.Name) role, err := RoleByName(c.Role.Name)
require.NoError(t, err, "role exists") require.NoError(t, err, "role exists")
require.Equal(t, c.Role, role) equalRoles(t, c.Role, role)
}) })
} }
}) })
@ -53,3 +53,18 @@ func TestRoleByName(t *testing.T) {
require.Error(t, err, "expect orgID") require.Error(t, err, "expect orgID")
}) })
} }
// SameAs compares 2 roles for equality.
func equalRoles(t *testing.T, a, b Role) {
require.Equal(t, a.Name, b.Name, "role names")
require.Equal(t, a.DisplayName, b.DisplayName, "role display names")
require.ElementsMatch(t, a.Site, b.Site, "site permissions")
require.ElementsMatch(t, a.User, b.User, "user permissions")
require.Equal(t, len(a.Org), len(b.Org), "same number of org roles")
for ak, av := range a.Org {
bv, ok := b.Org[ak]
require.True(t, ok, "org permissions missing: %s", ak)
require.ElementsMatchf(t, av, bv, "org %s permissions", ak)
}
}

7
coderd/roles_test.go
View File

@ -112,7 +112,6 @@ func TestListRoles(t *testing.T) {
}) })
require.NoError(t, err, "create org") require.NoError(t, err, "create org")
const unauth = "forbidden"
const notMember = "not a member of the organization" const notMember = "not a member of the organization"
testCases := []struct { testCases := []struct {
@ -128,14 +127,14 @@ func TestListRoles(t *testing.T) {
x, err := member.ListSiteRoles(ctx) x, err := member.ListSiteRoles(ctx)
return x, err return x, err
}, },
AuthorizedError: unauth, ExpectedRoles: convertRoles(rbac.SiteRoles()),
}, },
{ {
Name: "OrgMemberListOrg", Name: "OrgMemberListOrg",
APICall: func() ([]codersdk.Role, error) { APICall: func() ([]codersdk.Role, error) {
return member.ListOrganizationRoles(ctx, admin.OrganizationID) return member.ListOrganizationRoles(ctx, admin.OrganizationID)
}, },
AuthorizedError: unauth, ExpectedRoles: convertRoles(rbac.OrganizationRoles(admin.OrganizationID)),
}, },
{ {
Name: "NonOrgMemberListOrg", Name: "NonOrgMemberListOrg",
@ -150,7 +149,7 @@ func TestListRoles(t *testing.T) {
APICall: func() ([]codersdk.Role, error) { APICall: func() ([]codersdk.Role, error) {
return orgAdmin.ListSiteRoles(ctx) return orgAdmin.ListSiteRoles(ctx)
}, },
AuthorizedError: unauth, ExpectedRoles: convertRoles(rbac.SiteRoles()),
}, },
{ {
Name: "OrgAdminListOrg", Name: "OrgAdminListOrg",