diff --git a/cli/provisioners_test.go b/cli/provisioners_test.go
index ec528cfeda7cc..30a89714ff57f 100644
--- a/cli/provisioners_test.go
+++ b/cli/provisioners_test.go
@@ -71,7 +71,7 @@ func TestProvisioners_Golden(t *testing.T) {
})
owner := coderdtest.CreateFirstUser(t, client)
templateAdminClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgTemplateAdmin(owner.OrganizationID))
- memberClient, member := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+ _, member := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
// Create initial resources with a running provisioner.
firstProvisioner := coderdtest.NewTaggedProvisionerDaemon(t, coderdAPI, "default-provisioner", map[string]string{"owner": "", "scope": "organization"})
@@ -178,8 +178,9 @@ func TestProvisioners_Golden(t *testing.T) {
t.Logf("replace[%q] = %q", id, replaceID)
}
- // Test provisioners list with member as members can access
- // provisioner daemons.
+ // Test provisioners list with template admin as members are currently
+ // unable to access provisioner jobs. In the future (with RBAC
+ // changes), we may allow them to view _their_ jobs.
t.Run("list", func(t *testing.T) {
t.Parallel()
@@ -190,7 +191,7 @@ func TestProvisioners_Golden(t *testing.T) {
"--column", "id,created at,last seen at,name,version,tags,key name,status,current job id,current job status,previous job id,previous job status,organization",
)
inv.Stdout = &got
- clitest.SetupConfig(t, memberClient, root)
+ clitest.SetupConfig(t, templateAdminClient, root)
err := inv.Run()
require.NoError(t, err)
diff --git a/coderd/provisionerdaemons.go b/coderd/provisionerdaemons.go
index e701771770091..6495c4eb15bee 100644
--- a/coderd/provisionerdaemons.go
+++ b/coderd/provisionerdaemons.go
@@ -9,6 +9,8 @@ import (
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/provisionerdserver"
+ "github.com/coder/coder/v2/coderd/rbac"
+ "github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/coderd/util/ptr"
"github.com/coder/coder/v2/codersdk"
)
@@ -31,6 +33,13 @@ func (api *API) provisionerDaemons(rw http.ResponseWriter, r *http.Request) {
org = httpmw.OrganizationParam(r)
)
+ // This endpoint returns information about provisioner jobs.
+ // For now, only owners and template admins can access provisioner jobs.
+ if !api.Authorize(r, policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)) {
+ httpapi.ResourceNotFound(rw)
+ return
+ }
+
qp := r.URL.Query()
p := httpapi.NewQueryParamParser()
limit := p.PositiveInt32(qp, 50, "limit")
diff --git a/coderd/provisionerdaemons_test.go b/coderd/provisionerdaemons_test.go
index 6496b4dd57e0a..d6d1138f7a912 100644
--- a/coderd/provisionerdaemons_test.go
+++ b/coderd/provisionerdaemons_test.go
@@ -241,11 +241,14 @@ func TestProvisionerDaemons(t *testing.T) {
require.Nil(t, daemons[0].PreviousJob)
})
- t.Run("MemberAllowed", func(t *testing.T) {
+ // For now, this is not allowed even though the member has created a
+ // workspace. Once member-level permissions for jobs are supported
+ // by RBAC, this test should be updated.
+ t.Run("MemberDenied", func(t *testing.T) {
t.Parallel()
ctx := testutil.Context(t, testutil.WaitMedium)
daemons, err := memberClient.OrganizationProvisionerDaemons(ctx, owner.OrganizationID, nil)
- require.NoError(t, err)
- require.Len(t, daemons, 50)
+ require.Error(t, err)
+ require.Len(t, daemons, 0)
})
}
diff --git a/enterprise/coderd/provisionerdaemons_test.go b/enterprise/coderd/provisionerdaemons_test.go
index 20d784467591f..0cd812b45c5f1 100644
--- a/enterprise/coderd/provisionerdaemons_test.go
+++ b/enterprise/coderd/provisionerdaemons_test.go
@@ -953,7 +953,7 @@ func TestGetProvisionerDaemons(t *testing.T) {
org := coderdenttest.CreateOrganization(t, client, coderdenttest.CreateOrganizationOptions{
IncludeProvisionerDaemon: false,
})
- orgAdmin, _ := coderdtest.CreateAnotherUser(t, client, org.ID, rbac.ScopedRoleOrgMember(org.ID))
+ orgTemplateAdmin, _ := coderdtest.CreateAnotherUser(t, client, org.ID, rbac.ScopedRoleOrgTemplateAdmin(org.ID))
daemonCreatedAt := time.Now()
@@ -986,11 +986,11 @@ func TestGetProvisionerDaemons(t *testing.T) {
require.NoError(t, err, "should be able to create provisioner daemon")
daemonAsCreated := db2sdk.ProvisionerDaemon(pd)
- allDaemons, err := orgAdmin.OrganizationProvisionerDaemons(ctx, org.ID, nil)
+ allDaemons, err := orgTemplateAdmin.OrganizationProvisionerDaemons(ctx, org.ID, nil)
require.NoError(t, err)
require.Len(t, allDaemons, 1)
- daemonsAsFound, err := orgAdmin.OrganizationProvisionerDaemons(ctx, org.ID, &codersdk.OrganizationProvisionerDaemonsOptions{
+ daemonsAsFound, err := orgTemplateAdmin.OrganizationProvisionerDaemons(ctx, org.ID, &codersdk.OrganizationProvisionerDaemonsOptions{
Tags: tt.tagsToFilterBy,
})
if tt.expectToGetDaemon {
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy