fix: allow group members to read group information (#14200)

* - allow group members to read basic Group info - allow group members to see they are part of the group, but not see that information about other members - add a GetGroupMembersCountByGroupID SQL query, which allows group members to see members count without revealing other information about the members - add the group_members_expanded db view - rewrite group member queries to use the group_members_expanded view - add the RBAC ResourceGroupMember and add it to relevant roles - rewrite GetGroupMembersByGroupID permission checks - make the GroupMember type contain all user fields - fix type issues coming from replacing User with GroupMember in group member queries - add the MemberTotalCount field to codersdk.Group - display `group.total_member_count` instead of `group.members.length` on the account page
2025-07-15 22:20:27 +00:00 · 2024-08-13 16:20:24 +02:00
parent 60218c4c78
commit 6f9b1a39f4
38 changed files with 734 additions and 315 deletions
--- a/enterprise/coderd/groups.go
+++ b/enterprise/coderd/groups.go
@ -77,10 +77,10 @@ func (api *API) postGroupByOrganization(rw http.ResponseWriter, r *http.Request)
 		return
 	}

-	var emptyUsers []database.User
-	aReq.New = group.Auditable(emptyUsers)
+	var emptyMembers []database.GroupMember
+	aReq.New = group.Auditable(emptyMembers)

-	httpapi.Write(ctx, rw, http.StatusCreated, db2sdk.Group(group, nil))
+	httpapi.Write(ctx, rw, http.StatusCreated, db2sdk.Group(group, nil, 0))
 }

 // @Summary Update group by name
@ -285,7 +285,13 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {

 	aReq.New = group.Auditable(patchedMembers)

-	httpapi.Write(ctx, rw, http.StatusOK, db2sdk.Group(group, patchedMembers))
+	memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, group.ID)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, db2sdk.Group(group, patchedMembers, int(memberCount)))
 }

 // @Summary Delete group by name
@ -370,7 +376,13 @@ func (api *API) group(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	httpapi.Write(ctx, rw, http.StatusOK, db2sdk.Group(group, users))
+	memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, group.ID)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, db2sdk.Group(group, users, int(memberCount)))
 }

 // @Summary Get groups by organization
@ -414,8 +426,13 @@ func (api *API) groups(rw http.ResponseWriter, r *http.Request) {
 			httpapi.InternalServerError(rw, err)
 			return
 		}
+		memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, group.ID)
+		if err != nil {
+			httpapi.InternalServerError(rw, err)
+			return
+		}

-		resp = append(resp, db2sdk.Group(group, members))
+		resp = append(resp, db2sdk.Group(group, members, int(memberCount)))
 	}

 	httpapi.Write(ctx, rw, http.StatusOK, resp)