2022-04-29 14:04:19 +00:00
|
|
|
package coderd
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"github.com/google/uuid"
|
|
|
|
|
|
|
|
"golang.org/x/xerrors"
|
|
|
|
|
|
|
|
"github.com/coder/coder/coderd/rbac"
|
|
|
|
|
|
|
|
"github.com/coder/coder/coderd/database"
|
|
|
|
"github.com/coder/coder/coderd/httpapi"
|
|
|
|
"github.com/coder/coder/coderd/httpmw"
|
|
|
|
"github.com/coder/coder/codersdk"
|
|
|
|
)
|
|
|
|
|
2022-05-26 03:14:08 +00:00
|
|
|
func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
|
2022-09-21 22:07:00 +00:00
|
|
|
var (
|
|
|
|
ctx = r.Context()
|
|
|
|
user = httpmw.UserParam(r)
|
|
|
|
organization = httpmw.OrganizationParam(r)
|
|
|
|
member = httpmw.OrganizationMemberParam(r)
|
|
|
|
apiKey = httpmw.APIKey(r)
|
|
|
|
actorRoles = httpmw.UserAuthorization(r)
|
|
|
|
)
|
2022-05-31 20:50:38 +00:00
|
|
|
|
|
|
|
if apiKey.UserID == member.UserID {
|
2022-09-21 22:07:00 +00:00
|
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
2022-05-31 20:50:38 +00:00
|
|
|
Message: "You cannot change your own organization roles.",
|
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
2022-04-29 14:04:19 +00:00
|
|
|
|
|
|
|
var params codersdk.UpdateRoles
|
2022-09-21 22:07:00 +00:00
|
|
|
if !httpapi.Read(ctx, rw, r, ¶ms) {
|
2022-04-29 14:04:19 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-06-01 14:07:50 +00:00
|
|
|
// The org-member role is always implied.
|
|
|
|
impliedTypes := append(params.Roles, rbac.RoleOrgMember(organization.ID))
|
|
|
|
added, removed := rbac.ChangeRoleSet(member.Roles, impliedTypes)
|
2022-08-09 18:16:53 +00:00
|
|
|
|
|
|
|
// Assigning a role requires the create permission.
|
|
|
|
if len(added) > 0 && !api.Authorize(r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
|
|
|
|
httpapi.Forbidden(rw)
|
|
|
|
return
|
2022-05-25 16:00:59 +00:00
|
|
|
}
|
2022-08-09 18:16:53 +00:00
|
|
|
|
|
|
|
// Removing a role requires the delete permission.
|
|
|
|
if len(removed) > 0 && !api.Authorize(r, rbac.ActionDelete, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
|
|
|
|
httpapi.Forbidden(rw)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Just treat adding & removing as "assigning" for now.
|
|
|
|
for _, roleName := range append(added, removed...) {
|
|
|
|
if !rbac.CanAssignRole(actorRoles.Roles, roleName) {
|
2022-06-14 15:14:05 +00:00
|
|
|
httpapi.Forbidden(rw)
|
2022-05-25 16:00:59 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-21 22:07:00 +00:00
|
|
|
updatedUser, err := api.updateOrganizationMemberRoles(ctx, database.UpdateMemberRolesParams{
|
2022-04-29 14:04:19 +00:00
|
|
|
GrantedRoles: params.Roles,
|
|
|
|
UserID: user.ID,
|
|
|
|
OrgID: organization.ID,
|
|
|
|
})
|
|
|
|
if err != nil {
|
2022-09-21 22:07:00 +00:00
|
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
2022-04-29 14:04:19 +00:00
|
|
|
Message: err.Error(),
|
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-09-21 22:07:00 +00:00
|
|
|
httpapi.Write(ctx, rw, http.StatusOK, convertOrganizationMember(updatedUser))
|
2022-04-29 14:04:19 +00:00
|
|
|
}
|
|
|
|
|
2022-05-26 03:14:08 +00:00
|
|
|
func (api *API) updateOrganizationMemberRoles(ctx context.Context, args database.UpdateMemberRolesParams) (database.OrganizationMember, error) {
|
2022-04-29 14:04:19 +00:00
|
|
|
// Enforce only site wide roles
|
|
|
|
for _, r := range args.GrantedRoles {
|
|
|
|
// Must be an org role for the org in the args
|
|
|
|
orgID, ok := rbac.IsOrgRole(r)
|
|
|
|
if !ok {
|
|
|
|
return database.OrganizationMember{}, xerrors.Errorf("must only update organization roles")
|
|
|
|
}
|
|
|
|
|
|
|
|
roleOrg, err := uuid.Parse(orgID)
|
|
|
|
if err != nil {
|
2022-06-03 21:48:09 +00:00
|
|
|
return database.OrganizationMember{}, xerrors.Errorf("Role must have proper UUIDs for organization, %q does not", r)
|
2022-04-29 14:04:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if roleOrg != args.OrgID {
|
2022-06-03 21:48:09 +00:00
|
|
|
return database.OrganizationMember{}, xerrors.Errorf("Must only pass roles for org %q", args.OrgID.String())
|
2022-04-29 14:04:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := rbac.RoleByName(r); err != nil {
|
|
|
|
return database.OrganizationMember{}, xerrors.Errorf("%q is not a supported role", r)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
updatedUser, err := api.Database.UpdateMemberRoles(ctx, args)
|
|
|
|
if err != nil {
|
2022-06-03 21:48:09 +00:00
|
|
|
return database.OrganizationMember{}, xerrors.Errorf("Update site roles: %w", err)
|
2022-04-29 14:04:19 +00:00
|
|
|
}
|
|
|
|
return updatedUser, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func convertOrganizationMember(mem database.OrganizationMember) codersdk.OrganizationMember {
|
2022-08-24 19:58:57 +00:00
|
|
|
convertedMember := codersdk.OrganizationMember{
|
2022-04-29 14:04:19 +00:00
|
|
|
UserID: mem.UserID,
|
|
|
|
OrganizationID: mem.OrganizationID,
|
|
|
|
CreatedAt: mem.CreatedAt,
|
|
|
|
UpdatedAt: mem.UpdatedAt,
|
2022-08-24 19:58:57 +00:00
|
|
|
Roles: make([]codersdk.Role, 0, len(mem.Roles)),
|
2022-04-29 14:04:19 +00:00
|
|
|
}
|
2022-08-24 19:58:57 +00:00
|
|
|
|
|
|
|
for _, roleName := range mem.Roles {
|
|
|
|
rbacRole, _ := rbac.RoleByName(roleName)
|
|
|
|
convertedMember.Roles = append(convertedMember.Roles, convertRole(rbacRole))
|
|
|
|
}
|
|
|
|
return convertedMember
|
2022-04-29 14:04:19 +00:00
|
|
|
}
|