mirror of
https://github.com/coder/coder.git
synced 2025-07-03 16:13:58 +00:00
7c71053eab
Fixes an issue where we extracted the `{user}` parameter from the URL and added it to the API Handler context regardless of whether the caller had permission to read the User.
111 lines
3.3 KiB
Go
111 lines
3.3 KiB
Go
package coderd
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
|
|
"github.com/google/uuid"
|
|
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/coder/coder/v2/coderd/database/db2sdk"
|
|
"github.com/coder/coder/v2/coderd/rbac"
|
|
|
|
"github.com/coder/coder/v2/coderd/database"
|
|
"github.com/coder/coder/v2/coderd/httpapi"
|
|
"github.com/coder/coder/v2/coderd/httpmw"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
)
|
|
|
|
// @Summary Assign role to organization member
|
|
// @ID assign-role-to-organization-member
|
|
// @Security CoderSessionToken
|
|
// @Accept json
|
|
// @Produce json
|
|
// @Tags Members
|
|
// @Param organization path string true "Organization ID"
|
|
// @Param user path string true "User ID, name, or me"
|
|
// @Param request body codersdk.UpdateRoles true "Update roles request"
|
|
// @Success 200 {object} codersdk.OrganizationMember
|
|
// @Router /organizations/{organization}/members/{user}/roles [put]
|
|
func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
|
|
var (
|
|
ctx = r.Context()
|
|
organization = httpmw.OrganizationParam(r)
|
|
member = httpmw.OrganizationMemberParam(r)
|
|
apiKey = httpmw.APIKey(r)
|
|
)
|
|
|
|
if apiKey.UserID == member.UserID {
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
|
Message: "You cannot change your own organization roles.",
|
|
})
|
|
return
|
|
}
|
|
|
|
var params codersdk.UpdateRoles
|
|
if !httpapi.Read(ctx, rw, r, ¶ms) {
|
|
return
|
|
}
|
|
|
|
updatedUser, err := api.updateOrganizationMemberRoles(ctx, database.UpdateMemberRolesParams{
|
|
GrantedRoles: params.Roles,
|
|
UserID: member.UserID,
|
|
OrgID: organization.ID,
|
|
})
|
|
if err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
|
Message: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
|
|
httpapi.Write(ctx, rw, http.StatusOK, convertOrganizationMember(updatedUser))
|
|
}
|
|
|
|
func (api *API) updateOrganizationMemberRoles(ctx context.Context, args database.UpdateMemberRolesParams) (database.OrganizationMember, error) {
|
|
// Enforce only site wide roles
|
|
for _, r := range args.GrantedRoles {
|
|
// Must be an org role for the org in the args
|
|
orgID, ok := rbac.IsOrgRole(r)
|
|
if !ok {
|
|
return database.OrganizationMember{}, xerrors.Errorf("must only update organization roles")
|
|
}
|
|
|
|
roleOrg, err := uuid.Parse(orgID)
|
|
if err != nil {
|
|
return database.OrganizationMember{}, xerrors.Errorf("Role must have proper UUIDs for organization, %q does not", r)
|
|
}
|
|
|
|
if roleOrg != args.OrgID {
|
|
return database.OrganizationMember{}, xerrors.Errorf("Must only pass roles for org %q", args.OrgID.String())
|
|
}
|
|
|
|
if _, err := rbac.RoleByName(r); err != nil {
|
|
return database.OrganizationMember{}, xerrors.Errorf("%q is not a supported role", r)
|
|
}
|
|
}
|
|
|
|
updatedUser, err := api.Database.UpdateMemberRoles(ctx, args)
|
|
if err != nil {
|
|
return database.OrganizationMember{}, xerrors.Errorf("Update site roles: %w", err)
|
|
}
|
|
return updatedUser, nil
|
|
}
|
|
|
|
func convertOrganizationMember(mem database.OrganizationMember) codersdk.OrganizationMember {
|
|
convertedMember := codersdk.OrganizationMember{
|
|
UserID: mem.UserID,
|
|
OrganizationID: mem.OrganizationID,
|
|
CreatedAt: mem.CreatedAt,
|
|
UpdatedAt: mem.UpdatedAt,
|
|
Roles: make([]codersdk.Role, 0, len(mem.Roles)),
|
|
}
|
|
|
|
for _, roleName := range mem.Roles {
|
|
rbacRole, _ := rbac.RoleByName(roleName)
|
|
convertedMember.Roles = append(convertedMember.Roles, db2sdk.Role(rbacRole))
|
|
}
|
|
return convertedMember
|
|
}
|