selfhosted
/
coder
mirror of https://github.com/coder/coder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore: remove autocreate orgs on CreateUser (#12434) 

New users must be explictly given an organization to join.
Organizations should not be auto created as a side effect of
creating a new user.
This commit is contained in:
Steven Masley 2024-03-06 07:29:28 -06:00 committed by GitHub
parent 842799847a
commit 23ff807a27
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
coderd/userauth.go
View File

@ -1351,20 +1351,16 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
// This can happen if a user is a built-in user but is signing in // This can happen if a user is a built-in user but is signing in
// with OIDC for the first time. // with OIDC for the first time.
if user.ID == uuid.Nil { if user.ID == uuid.Nil {
var organizationID uuid.UUID // Until proper multi-org support, all users will be added to the default organization.
// Ignoring this error is a product of our unit tests. In prod this should never // The default organization should always be present.
// happen. Unit tests use this as a shortcut to making a new organization. We
// should really fix our unit tests and remove this.
//nolint:gocritic //nolint:gocritic
organization, _ := tx.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx)) defaultOrganization, err := tx.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
if err != nil {
// Add the user to the default organization. return xerrors.Errorf("unable to fetch default organization: %w", err)
// Once multi-organization we should check some configuration to see }
// if we should add the user to a different organization.
organizationID = organization.ID
//nolint:gocritic //nolint:gocritic
_, err := tx.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{ _, err = tx.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{
Username: params.Username, Username: params.Username,
}) })
if err == nil { if err == nil {
@ -1402,13 +1398,9 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
CreateUserRequest: codersdk.CreateUserRequest{ CreateUserRequest: codersdk.CreateUserRequest{
Email: params.Email, Email: params.Email,
Username: params.Username, Username: params.Username,
OrganizationID: organizationID, OrganizationID: defaultOrganization.ID,
}, },
// All of the userauth tests depend on this being able to create LoginType: params.LoginType,
// the first organization. It shouldn't be possible in normal
// operation.
CreateOrganization: organizationID == uuid.Nil,
LoginType: params.LoginType,
}) })
if err != nil { if err != nil {
return xerrors.Errorf("create user: %w", err) return xerrors.Errorf("create user: %w", err)

33
coderd/users.go
View File

@ -201,8 +201,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
Password: createUser.Password, Password: createUser.Password,
OrganizationID: defaultOrg.ID, OrganizationID: defaultOrg.ID,
}, },
CreateOrganization: false, LoginType: database.LoginTypePassword,
LoginType: database.LoginTypePassword,
}) })
if err != nil { if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
@ -1231,8 +1230,7 @@ func (api *API) organizationByUserAndName(rw http.ResponseWriter, r *http.Reques
type CreateUserRequest struct { type CreateUserRequest struct {
codersdk.CreateUserRequest codersdk.CreateUserRequest
CreateOrganization bool LoginType database.LoginType
LoginType database.LoginType
} }
func (api *API) CreateUser(ctx context.Context, store database.Store, req CreateUserRequest) (database.User, uuid.UUID, error) { func (api *API) CreateUser(ctx context.Context, store database.Store, req CreateUserRequest) (database.User, uuid.UUID, error) {
@ -1245,32 +1243,9 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
var user database.User var user database.User
return user, req.OrganizationID, store.InTx(func(tx database.Store) error { return user, req.OrganizationID, store.InTx(func(tx database.Store) error {
orgRoles := make([]string, 0) orgRoles := make([]string, 0)
// If no organization is provided, create a new one for the user. // Organization is required to know where to allocate the user.
if req.OrganizationID == uuid.Nil { if req.OrganizationID == uuid.Nil {
if !req.CreateOrganization { return xerrors.Errorf("organization ID must be provided")
return xerrors.Errorf("organization ID must be provided")
}
organization, err := tx.InsertOrganization(ctx, database.InsertOrganizationParams{
ID: uuid.New(),
Name: req.Username,
CreatedAt: dbtime.Now(),
UpdatedAt: dbtime.Now(),
Description: "",
})
if err != nil {
return xerrors.Errorf("create organization: %w", err)
}
req.OrganizationID = organization.ID
// TODO: When organizations are allowed to be created, we should
// come back to determining the default role of the person who
// creates the org. Until that happens, all users in an organization
// should be just regular members. Membership role is implied, and
// not required to be explicit.
_, err = tx.InsertAllUsersGroup(ctx, organization.ID)
if err != nil {
return xerrors.Errorf("create %q group: %w", database.EveryoneGroup, err)
}
} }
params := database.InsertUserParams{ params := database.InsertUserParams{