Skip to content

Commit 2638c27

Browse files
EmyrkEmyrk
authored
fix: User's should be able to read what roles available (#1575)
1 parent 8bd1abe commit 2638c27

File tree

3 files changed

+21
-6
lines changed

3 files changed

+21
-6
lines changed

coderd/rbac/builtin.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,8 @@ var (
6666
DisplayName: "Member",
6767
Site: permissions(map[Object][]Action{
6868
// All users can read all other users and know they exist.
69-
ResourceUser: {ActionRead},
69+
ResourceUser: {ActionRead},
70+
ResourceRoleAssignment: {ActionRead},
7071
}),
7172
User: permissions(map[Object][]Action{
7273
ResourceWildcard: {WildcardSymbol},

coderd/rbac/builtin_internal_test.go

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ func TestRoleByName(t *testing.T) {
3434
t.Run(c.Role.Name, func(t *testing.T) {
3535
role, err := RoleByName(c.Role.Name)
3636
require.NoError(t, err, "role exists")
37-
require.Equal(t, c.Role, role)
37+
equalRoles(t, c.Role, role)
3838
})
3939
}
4040
})
@@ -53,3 +53,18 @@ func TestRoleByName(t *testing.T) {
5353
require.Error(t, err, "expect orgID")
5454
})
5555
}
56+
57+
// SameAs compares 2 roles for equality.
58+
func equalRoles(t *testing.T, a, b Role) {
59+
require.Equal(t, a.Name, b.Name, "role names")
60+
require.Equal(t, a.DisplayName, b.DisplayName, "role display names")
61+
require.ElementsMatch(t, a.Site, b.Site, "site permissions")
62+
require.ElementsMatch(t, a.User, b.User, "user permissions")
63+
require.Equal(t, len(a.Org), len(b.Org), "same number of org roles")
64+
65+
for ak, av := range a.Org {
66+
bv, ok := b.Org[ak]
67+
require.True(t, ok, "org permissions missing: %s", ak)
68+
require.ElementsMatchf(t, av, bv, "org %s permissions", ak)
69+
}
70+
}

coderd/roles_test.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,6 @@ func TestListRoles(t *testing.T) {
112112
})
113113
require.NoError(t, err, "create org")
114114

115-
const unauth = "forbidden"
116115
const notMember = "not a member of the organization"
117116

118117
testCases := []struct {
@@ -128,14 +127,14 @@ func TestListRoles(t *testing.T) {
128127
x, err := member.ListSiteRoles(ctx)
129128
return x, err
130129
},
131-
AuthorizedError: unauth,
130+
ExpectedRoles: convertRoles(rbac.SiteRoles()),
132131
},
133132
{
134133
Name: "OrgMemberListOrg",
135134
APICall: func() ([]codersdk.Role, error) {
136135
return member.ListOrganizationRoles(ctx, admin.OrganizationID)
137136
},
138-
AuthorizedError: unauth,
137+
ExpectedRoles: convertRoles(rbac.OrganizationRoles(admin.OrganizationID)),
139138
},
140139
{
141140
Name: "NonOrgMemberListOrg",
@@ -150,7 +149,7 @@ func TestListRoles(t *testing.T) {
150149
APICall: func() ([]codersdk.Role, error) {
151150
return orgAdmin.ListSiteRoles(ctx)
152151
},
153-
AuthorizedError: unauth,
152+
ExpectedRoles: convertRoles(rbac.SiteRoles()),
154153
},
155154
{
156155
Name: "OrgAdminListOrg",

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy