NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitd93629b

authored

fix: check permission to update username (#20139)

1 parentd63bb2c commitd93629bCopy full SHA for d93629b

File tree

2 files changed

+66

-5

lines changed

coderd
- users.go
- users_test.go

2 files changed

+66

-5

lines changed

`‎coderd/users.go‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -753,6 +753,14 @@ func (api API) putUserProfile(rw http.ResponseWriter, r http.Request) {`
`753`	`753`	`if!httpapi.Read(ctx,rw,r,&params) {`
`754`	`754`	`return`
`755`	`755`	`}`
	`756`	`+`
	`757`	`+// If caller wants to update user's username, they need "update_users" permission.`
	`758`	`+// This is restricted to user admins only.`
	`759`	`+ifparams.Username!=user.Username&&!api.Authorize(r,policy.ActionUpdate,user) {`
	`760`	`+httpapi.ResourceNotFound(rw)`
	`761`	`+return`
	`762`	`+}`
	`763`	`+`
`756`	`764`	`existentUser,err:=api.Database.GetUserByEmailOrUsername(ctx, database.GetUserByEmailOrUsernameParams{`
`757`	`765`	`Username:params.Username,`
`758`	`766`	`})`

`‎coderd/users_test.go‎`

Lines changed: 58 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -1051,7 +1051,7 @@ func TestUpdateUserProfile(t *testing.T) {`
`1051`	`1051`	`require.Equal(t,database.AuditActionWrite,auditor.AuditLogs()[numLogs-1].Action)`
`1052`	`1052`	`})`
`1053`	`1053`
`1054`		`-t.Run("UpdateSelfAsMember",func(t*testing.T) {`
	`1054`	`+t.Run("UpdateSelfAsMember_Name",func(t*testing.T) {`
`1055`	`1055`	`t.Parallel()`
`1056`	`1056`	`auditor:=audit.NewMock()`
`1057`	`1057`	`client:=coderdtest.New(t,&coderdtest.Options{Auditor:auditor})`
`@@ -1060,29 +1060,82 @@ func TestUpdateUserProfile(t *testing.T) {`
`1060`	`1060`	`firstUser:=coderdtest.CreateFirstUser(t,client)`
`1061`	`1061`	`numLogs++// add an audit log for login`
`1062`	`1062`
`1063`		`-memberClient,_:=coderdtest.CreateAnotherUser(t,client,firstUser.OrganizationID)`
	`1063`	`+memberClient,memberUser:=coderdtest.CreateAnotherUser(t,client,firstUser.OrganizationID)`
`1064`	`1064`	`numLogs++// add an audit log for user creation`
`1065`	`1065`
`1066`	`1066`	`ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
`1067`	`1067`	`defercancel()`
`1068`	`1068`
`1069`		`-newUsername:=coderdtest.RandomUsername(t)`
`1070`	`1069`	`newName:=coderdtest.RandomName(t)`
`1071`	`1070`	`userProfile,err:=memberClient.UpdateUserProfile(ctx,codersdk.Me, codersdk.UpdateUserProfileRequest{`
`1072`		`-Username:newUsername,`
`1073`	`1071`	`Name:newName,`
	`1072`	`+Username:memberUser.Username,`
`1074`	`1073`	`})`
`1075`	`1074`	`numLogs++// add an audit log for user update`
`1076`	`1075`	`numLogs++// add an audit log for API key creation`
`1077`	`1076`
`1078`	`1077`	`require.NoError(t,err)`
`1079`		`-require.Equal(t,newUsername,userProfile.Username)`
	`1078`	`+require.Equal(t,memberUser.Username,userProfile.Username)`
`1080`	`1079`	`require.Equal(t,newName,userProfile.Name)`
`1081`	`1080`
`1082`	`1081`	`require.Len(t,auditor.AuditLogs(),numLogs)`
`1083`	`1082`	`require.Equal(t,database.AuditActionWrite,auditor.AuditLogs()[numLogs-1].Action)`
`1084`	`1083`	`})`
`1085`	`1084`
	`1085`	`+t.Run("UpdateSelfAsMember_Username",func(t*testing.T) {`
	`1086`	`+t.Parallel()`
	`1087`	`+auditor:=audit.NewMock()`
	`1088`	`+client:=coderdtest.New(t,&coderdtest.Options{Auditor:auditor})`
	`1089`	`+`
	`1090`	`+firstUser:=coderdtest.CreateFirstUser(t,client)`
	`1091`	`+memberClient,memberUser:=coderdtest.CreateAnotherUser(t,client,firstUser.OrganizationID)`
	`1092`	`+`
	`1093`	`+ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
	`1094`	`+defercancel()`
	`1095`	`+`
	`1096`	`+newUsername:=coderdtest.RandomUsername(t)`
	`1097`	`+_,err:=memberClient.UpdateUserProfile(ctx,codersdk.Me, codersdk.UpdateUserProfileRequest{`
	`1098`	`+Name:memberUser.Name,`
	`1099`	`+Username:newUsername,`
	`1100`	`+})`
	`1101`	`+`
	`1102`	`+varapiErr*codersdk.Error`
	`1103`	`+require.ErrorAs(t,err,&apiErr)`
	`1104`	`+require.Equal(t,http.StatusNotFound,apiErr.StatusCode())`
	`1105`	`+})`
	`1106`	`+`
	`1107`	`+t.Run("UpdateMemberAsAdmin_Username",func(t*testing.T) {`
	`1108`	`+t.Parallel()`
	`1109`	`+auditor:=audit.NewMock()`
	`1110`	`+adminClient:=coderdtest.New(t,&coderdtest.Options{Auditor:auditor})`
	`1111`	`+numLogs:=len(auditor.AuditLogs())`
	`1112`	`+`
	`1113`	`+adminUser:=coderdtest.CreateFirstUser(t,adminClient)`
	`1114`	`+numLogs++// add an audit log for login`
	`1115`	`+`
	`1116`	`+_,memberUser:=coderdtest.CreateAnotherUser(t,adminClient,adminUser.OrganizationID)`
	`1117`	`+numLogs++// add an audit log for user creation`
	`1118`	`+`
	`1119`	`+ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
	`1120`	`+defercancel()`
	`1121`	`+`
	`1122`	`+newUsername:=coderdtest.RandomUsername(t)`
	`1123`	`+userProfile,err:=adminClient.UpdateUserProfile(ctx,codersdk.Me, codersdk.UpdateUserProfileRequest{`
	`1124`	`+Name:memberUser.Name,`
	`1125`	`+Username:newUsername,`
	`1126`	`+})`
	`1127`	`+`
	`1128`	`+numLogs++// add an audit log for user update`
	`1129`	`+numLogs++// add an audit log for API key creation`
	`1130`	`+`
	`1131`	`+require.NoError(t,err)`
	`1132`	`+require.Equal(t,newUsername,userProfile.Username)`
	`1133`	`+require.Equal(t,memberUser.Name,userProfile.Name)`
	`1134`	`+`
	`1135`	`+require.Len(t,auditor.AuditLogs(),numLogs)`
	`1136`	`+require.Equal(t,database.AuditActionWrite,auditor.AuditLogs()[numLogs-1].Action)`
	`1137`	`+})`
	`1138`	`+`
`1086`	`1139`	`t.Run("InvalidRealUserName",func(t*testing.T) {`
`1087`	`1140`	`t.Parallel()`
`1088`	`1141`	`client:=coderdtest.New(t,nil)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitd93629b

File tree

2 files changed

2 files changed

`‎coderd/users.go‎`

`‎coderd/users_test.go‎`

0 commit comments