@@ -591,17 +591,30 @@ func TestRolePermissions(t *testing.T) {
591591},
592592},
593593{
594- // Users should be able toCRUD their own frobulators
595- // Admins from the current organization should be able toCRUD any other user's frobulators
596- // Owner should be able toCRUD any other user's frobulators
597- Name :"Frobulators " ,
598- Actions : []policy.Action {policy .ActionRead , policy . ActionCreate ,policy .ActionUpdate ,policy .ActionDelete },
594+ // Users should be able tomodify their own frobulators
595+ // Admins from the current organization should be able tomodify any other user's frobulators
596+ // Owner should be able tomodify any other user's frobulators
597+ Name :"FrobulatorsModify " ,
598+ Actions : []policy.Action {policy .ActionCreate ,policy .ActionUpdate ,policy .ActionDelete },
599599Resource :rbac .ResourceFrobulator .WithOwner (currentUser .String ()).InOrg (orgID ),
600600AuthorizeMap :map [bool ][]hasAuthSubjects {
601601true : {orgMemberMe ,orgAdmin ,owner },
602602false : {setOtherOrg ,memberMe ,templateAdmin ,userAdmin ,orgTemplateAdmin ,orgUserAdmin ,orgAuditor },
603603},
604604},
605+ {
606+ // Users should be able to read their own frobulators
607+ // Admins from the current organization should be able to read any other user's frobulators
608+ // Auditors should be able to read any other user's frobulators
609+ // Owner should be able to read any other user's frobulators
610+ Name :"FrobulatorsReadOnly" ,
611+ Actions : []policy.Action {policy .ActionRead },
612+ Resource :rbac .ResourceFrobulator .WithOwner (currentUser .String ()).InOrg (orgID ),
613+ AuthorizeMap :map [bool ][]hasAuthSubjects {
614+ true : {orgMemberMe ,orgAdmin ,owner ,orgAuditor },
615+ false : {setOtherOrg ,memberMe ,templateAdmin ,userAdmin ,orgTemplateAdmin ,orgUserAdmin },
616+ },
617+ },
605618{
606619// Owner should be able to CRUD any other user's frobulators
607620Name :"FrobulatorsAnyUser" ,
@@ -613,14 +626,15 @@ func TestRolePermissions(t *testing.T) {
613626},
614627},
615628{
616- // Admins from the current organization should be able to CRUD any other user's frobulators
617- // Owner should be able to CRUD any other user's frobulators
618- Name :"FrobulatorsAnyUserInOrg" ,
619- Actions : []policy.Action {policy .ActionRead ,policy .ActionCreate ,policy .ActionUpdate ,policy .ActionDelete },
629+ // Admins from the current organization should be able to read any other user's frobulators
630+ // Auditors should be able to read any other user's frobulators
631+ // Owner should be able to read any other user's frobulators
632+ Name :"FrobulatorsReadAnyUserInOrg" ,
633+ Actions : []policy.Action {policy .ActionRead },
620634Resource :rbac .ResourceFrobulator .InOrg (orgID ).WithOwner (uuid .New ().String ()),// read frobulators of any user
621635AuthorizeMap :map [bool ][]hasAuthSubjects {
622- true : {owner ,orgAdmin },
623- false : {memberMe ,orgMemberMe ,setOtherOrg ,templateAdmin ,userAdmin ,orgTemplateAdmin ,orgUserAdmin , orgAuditor },
636+ true : {owner ,orgAdmin , orgAuditor },
637+ false : {memberMe ,orgMemberMe ,setOtherOrg ,templateAdmin ,userAdmin ,orgTemplateAdmin ,orgUserAdmin },
624638},
625639},
626640// AnyOrganization tests