mirror of
https://github.com/coder/coder.git
synced 2025-07-09 11:45:56 +00:00
fix: User's should be able to read what roles available (#1575)
This commit is contained in:
@ -66,7 +66,8 @@ var (
|
|||||||
DisplayName: "Member",
|
DisplayName: "Member",
|
||||||
Site: permissions(map[Object][]Action{
|
Site: permissions(map[Object][]Action{
|
||||||
// All users can read all other users and know they exist.
|
// All users can read all other users and know they exist.
|
||||||
ResourceUser: {ActionRead},
|
ResourceUser: {ActionRead},
|
||||||
|
ResourceRoleAssignment: {ActionRead},
|
||||||
}),
|
}),
|
||||||
User: permissions(map[Object][]Action{
|
User: permissions(map[Object][]Action{
|
||||||
ResourceWildcard: {WildcardSymbol},
|
ResourceWildcard: {WildcardSymbol},
|
||||||
|
@ -34,7 +34,7 @@ func TestRoleByName(t *testing.T) {
|
|||||||
t.Run(c.Role.Name, func(t *testing.T) {
|
t.Run(c.Role.Name, func(t *testing.T) {
|
||||||
role, err := RoleByName(c.Role.Name)
|
role, err := RoleByName(c.Role.Name)
|
||||||
require.NoError(t, err, "role exists")
|
require.NoError(t, err, "role exists")
|
||||||
require.Equal(t, c.Role, role)
|
equalRoles(t, c.Role, role)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
@ -53,3 +53,18 @@ func TestRoleByName(t *testing.T) {
|
|||||||
require.Error(t, err, "expect orgID")
|
require.Error(t, err, "expect orgID")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SameAs compares 2 roles for equality.
|
||||||
|
func equalRoles(t *testing.T, a, b Role) {
|
||||||
|
require.Equal(t, a.Name, b.Name, "role names")
|
||||||
|
require.Equal(t, a.DisplayName, b.DisplayName, "role display names")
|
||||||
|
require.ElementsMatch(t, a.Site, b.Site, "site permissions")
|
||||||
|
require.ElementsMatch(t, a.User, b.User, "user permissions")
|
||||||
|
require.Equal(t, len(a.Org), len(b.Org), "same number of org roles")
|
||||||
|
|
||||||
|
for ak, av := range a.Org {
|
||||||
|
bv, ok := b.Org[ak]
|
||||||
|
require.True(t, ok, "org permissions missing: %s", ak)
|
||||||
|
require.ElementsMatchf(t, av, bv, "org %s permissions", ak)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -112,7 +112,6 @@ func TestListRoles(t *testing.T) {
|
|||||||
})
|
})
|
||||||
require.NoError(t, err, "create org")
|
require.NoError(t, err, "create org")
|
||||||
|
|
||||||
const unauth = "forbidden"
|
|
||||||
const notMember = "not a member of the organization"
|
const notMember = "not a member of the organization"
|
||||||
|
|
||||||
testCases := []struct {
|
testCases := []struct {
|
||||||
@ -128,14 +127,14 @@ func TestListRoles(t *testing.T) {
|
|||||||
x, err := member.ListSiteRoles(ctx)
|
x, err := member.ListSiteRoles(ctx)
|
||||||
return x, err
|
return x, err
|
||||||
},
|
},
|
||||||
AuthorizedError: unauth,
|
ExpectedRoles: convertRoles(rbac.SiteRoles()),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "OrgMemberListOrg",
|
Name: "OrgMemberListOrg",
|
||||||
APICall: func() ([]codersdk.Role, error) {
|
APICall: func() ([]codersdk.Role, error) {
|
||||||
return member.ListOrganizationRoles(ctx, admin.OrganizationID)
|
return member.ListOrganizationRoles(ctx, admin.OrganizationID)
|
||||||
},
|
},
|
||||||
AuthorizedError: unauth,
|
ExpectedRoles: convertRoles(rbac.OrganizationRoles(admin.OrganizationID)),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "NonOrgMemberListOrg",
|
Name: "NonOrgMemberListOrg",
|
||||||
@ -150,7 +149,7 @@ func TestListRoles(t *testing.T) {
|
|||||||
APICall: func() ([]codersdk.Role, error) {
|
APICall: func() ([]codersdk.Role, error) {
|
||||||
return orgAdmin.ListSiteRoles(ctx)
|
return orgAdmin.ListSiteRoles(ctx)
|
||||||
},
|
},
|
||||||
AuthorizedError: unauth,
|
ExpectedRoles: convertRoles(rbac.SiteRoles()),
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
Name: "OrgAdminListOrg",
|
Name: "OrgAdminListOrg",
|
||||||
|
Reference in New Issue
Block a user