Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3c27fdb

Browse files
Emyrkkylecarbs
authored andcommitted
feat: Prevent role changing on yourself. (#1931)
* feat: Prevent role changing on yourself.Only allow changing roles on other users. Not much value in self changingat the moment
1 parent786d056 commit3c27fdb

File tree

3 files changed

+32
-4
lines changed

3 files changed

+32
-4
lines changed

‎coderd/members.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,14 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
2020
user:=httpmw.UserParam(r)
2121
organization:=httpmw.OrganizationParam(r)
2222
member:=httpmw.OrganizationMemberParam(r)
23+
apiKey:=httpmw.APIKey(r)
24+
25+
ifapiKey.UserID==member.UserID {
26+
httpapi.Write(rw,http.StatusBadRequest, httpapi.Response{
27+
Message:"You cannot change your own organization roles.",
28+
})
29+
return
30+
}
2331

2432
varparams codersdk.UpdateRoles
2533
if!httpapi.Read(rw,r,&params) {

‎coderd/users.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -474,6 +474,14 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
474474
// User is the user to modify.
475475
user:=httpmw.UserParam(r)
476476
roles:=httpmw.UserRoles(r)
477+
apiKey:=httpmw.APIKey(r)
478+
479+
ifapiKey.UserID==user.ID {
480+
httpapi.Write(rw,http.StatusBadRequest, httpapi.Response{
481+
Message:"You cannot change your own roles.",
482+
})
483+
return
484+
}
477485

478486
varparams codersdk.UpdateRoles
479487
if!httpapi.Read(rw,r,&params) {

‎coderd/users_test.go

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -409,11 +409,11 @@ func TestGrantRoles(t *testing.T) {
409409
t.Run("UpdateIncorrectRoles",func(t*testing.T) {
410410
t.Parallel()
411411
ctx:=context.Background()
412+
varerrerror
413+
412414
admin:=coderdtest.New(t,nil)
413415
first:=coderdtest.CreateFirstUser(t,admin)
414416
member:=coderdtest.CreateAnotherUser(t,admin,first.OrganizationID)
415-
memberUser,err:=member.User(ctx,codersdk.Me)
416-
require.NoError(t,err,"member user")
417417

418418
_,err=admin.UpdateUserRoles(ctx,codersdk.Me, codersdk.UpdateRoles{
419419
Roles: []string{rbac.RoleOrgMember(first.OrganizationID)},
@@ -445,7 +445,7 @@ func TestGrantRoles(t *testing.T) {
445445
require.Error(t,err,"member cannot change other's roles")
446446
requireStatusCode(t,err,http.StatusForbidden)
447447

448-
_,err=member.UpdateUserRoles(ctx,memberUser.ID.String(), codersdk.UpdateRoles{
448+
_,err=member.UpdateUserRoles(ctx,first.UserID.String(), codersdk.UpdateRoles{
449449
Roles: []string{rbac.RoleMember()},
450450
})
451451
require.Error(t,err,"member cannot change any roles")
@@ -456,6 +456,18 @@ func TestGrantRoles(t *testing.T) {
456456
})
457457
require.Error(t,err,"member cannot change other's org roles")
458458
requireStatusCode(t,err,http.StatusForbidden)
459+
460+
_,err=admin.UpdateUserRoles(ctx,first.UserID.String(), codersdk.UpdateRoles{
461+
Roles: []string{},
462+
})
463+
require.Error(t,err,"admin cannot change self roles")
464+
requireStatusCode(t,err,http.StatusBadRequest)
465+
466+
_,err=admin.UpdateOrganizationMemberRoles(ctx,first.OrganizationID,first.UserID.String(), codersdk.UpdateRoles{
467+
Roles: []string{},
468+
})
469+
require.Error(t,err,"admin cannot change self org roles")
470+
requireStatusCode(t,err,http.StatusBadRequest)
459471
})
460472

461473
t.Run("FirstUserRoles",func(t*testing.T) {
@@ -508,7 +520,7 @@ func TestGrantRoles(t *testing.T) {
508520
require.NoError(t,err,"grant member admin role")
509521

510522
// Promote to org admin
511-
_,err=member.UpdateOrganizationMemberRoles(ctx,first.OrganizationID,codersdk.Me, codersdk.UpdateRoles{
523+
_,err=admin.UpdateOrganizationMemberRoles(ctx,first.OrganizationID,memberUser.ID.String(), codersdk.UpdateRoles{
512524
Roles: []string{
513525
// Promote to org admin
514526
rbac.RoleOrgMember(first.OrganizationID),

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp