fix(coderd): add stricter authorization for provisioners endpoint (#16587)

References #16558
2025-07-15 22:20:27 +00:00 · 2025-02-17 14:34:47 +02:00
parent fbea757b8b
commit 7f061b9faf
4 changed files with 23 additions and 10 deletions
--- a/cli/provisioners_test.go
+++ b/cli/provisioners_test.go
@ -71,7 +71,7 @@ func TestProvisioners_Golden(t *testing.T) {
 	})
 	owner := coderdtest.CreateFirstUser(t, client)
 	templateAdminClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgTemplateAdmin(owner.OrganizationID))
-	memberClient, member := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+	_, member := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)

 	// Create initial resources with a running provisioner.
 	firstProvisioner := coderdtest.NewTaggedProvisionerDaemon(t, coderdAPI, "default-provisioner", map[string]string{"owner": "", "scope": "organization"})
@ -178,8 +178,9 @@ func TestProvisioners_Golden(t *testing.T) {
 		t.Logf("replace[%q] = %q", id, replaceID)
 	}

-	// Test provisioners list with member as members can access
-	// provisioner daemons.
+	// Test provisioners list with template admin as members are currently
+	// unable to access provisioner jobs. In the future (with RBAC
+	// changes), we may allow them to view _their_ jobs.
 	t.Run("list", func(t *testing.T) {
 		t.Parallel()

@ -190,7 +191,7 @@ func TestProvisioners_Golden(t *testing.T) {
 			"--column", "id,created at,last seen at,name,version,tags,key name,status,current job id,current job status,previous job id,previous job status,organization",
 		)
 		inv.Stdout = &got
-		clitest.SetupConfig(t, memberClient, root)
+		clitest.SetupConfig(t, templateAdminClient, root)
 		err := inv.Run()
 		require.NoError(t, err)