fix: omit users for 'Everyone' group in response (#5937)

2025-07-06 15:41:45 +00:00 · 2023-01-31 13:30:20 -06:00
parent 69fce0488e
commit c162c0f284
7 changed files with 26 additions and 90 deletions
--- a/enterprise/coderd/groups_test.go
+++ b/enterprise/coderd/groups_test.go
@ -605,6 +605,26 @@ func TestGroup(t *testing.T) {
 		require.NotContains(t, group.Members, user1)
 		require.Contains(t, group.Members, user2)
 	})
+
+	t.Run("everyoneGroupReturnsEmpty", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdenttest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+
+		_ = coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+			Features: license.Features{
+				codersdk.FeatureTemplateRBAC: 1,
+			},
+		})
+		ctx, _ := testutil.Context(t)
+		// The 'Everyone' group always has an ID that matches the organization ID.
+		group, err := client.Group(ctx, user.OrganizationID)
+		require.NoError(t, err)
+		require.Len(t, group.Members, 0)
+		require.Equal(t, "Everyone", group.Name)
+		require.Equal(t, user.OrganizationID, group.OrganizationID)
+	})
 }

 // TODO: test auth.
--- a/enterprise/coderd/templates.go
+++ b/enterprise/coderd/templates.go
@ -78,16 +78,11 @@ func (api *API) templateACL(rw http.ResponseWriter, r *http.Request) {
 	for _, group := range dbGroups {
 		var members []database.User

-		if group.Name == database.AllUsersGroup {
-			members, err = api.Database.GetAllOrganizationMembers(ctx, group.OrganizationID)
-		} else {
-			members, err = api.Database.GetGroupMembers(ctx, group.ID)
-		}
+		members, err = api.Database.GetGroupMembers(ctx, group.ID)
 		if err != nil {
 			httpapi.InternalServerError(rw, err)
 			return
 		}
-
 		groups = append(groups, codersdk.TemplateGroup{
 			Group: convertGroup(group.Group, members),
 			Role:  convertToTemplateRole(group.Actions),
--- a/enterprise/coderd/templates_test.go
+++ b/enterprise/coderd/templates_test.go
@ -66,7 +66,7 @@ func TestTemplateACL(t *testing.T) {
 		require.Contains(t, acl.Users, templateUser3)
 	})

-	t.Run("allUsersGroup", func(t *testing.T) {
+	t.Run("everyoneGroup", func(t *testing.T) {
 		t.Parallel()
 		client := coderdenttest.New(t, nil)
 		user := coderdtest.CreateFirstUser(t, client)
@ -76,7 +76,8 @@ func TestTemplateACL(t *testing.T) {
 			},
 		})

-		_, user1 := coderdtest.CreateAnotherUserWithUser(t, client, user.OrganizationID)
+		// Create a user to assert they aren't returned in the response.
+		_, _ = coderdtest.CreateAnotherUserWithUser(t, client, user.OrganizationID)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)

@ -87,8 +88,8 @@ func TestTemplateACL(t *testing.T) {
 		require.NoError(t, err)

 		require.Len(t, acl.Groups, 1)
-		require.Len(t, acl.Groups[0].Members, 2)
-		require.Contains(t, acl.Groups[0].Members, user1)
+		// We don't return members for the 'Everyone' group.
+		require.Len(t, acl.Groups[0].Members, 0)
 		require.Len(t, acl.Users, 0)
 	})