fix: No org admins until organizations are in the UI (#5414)

* fix: No org admins until organizations are in the UI Until organizations have management UI, we should not set any org admins. This goes around the site wide perms transparently and is confusing to users. Default user is no longer an org admin, so the demotion test makes no sense
2022-12-14 11:05:42 -06:00 · 2022-12-14 11:05:42 -06:00 · 27386d49d0
parent 012a9e759e
commit 27386d49d0
5 changed files with 17 additions and 12 deletions
--- a/coderd/database/migrations/000086_no_org_admins.down.sql
+++ b/coderd/database/migrations/000086_no_org_admins.down.sql
--- a/coderd/database/migrations/000086_no_org_admins.up.sql
+++ b/coderd/database/migrations/000086_no_org_admins.up.sql
@ -0,0 +1,6 @@
+UPDATE 
+  organization_members
+SET 
+  roles = ARRAY [] :: text[]
+WHERE 
+  'organization-admin:'||organization_id = ANY(roles);
--- a/coderd/organizations.go
+++ b/coderd/organizations.go
@ -76,7 +76,11 @@ func (api *API) postOrganizations(rw http.ResponseWriter, r *http.Request) {
 			CreatedAt:      database.Now(),
 			UpdatedAt:      database.Now(),
 			Roles: []string{
-				rbac.RoleOrgAdmin(organization.ID),
+				// TODO: When organizations are allowed to be created, we should
+				// come back to determining the default role of the person who
+				// creates the org. Until that happens, all users in an organization
+				// should be just regular members.
+				rbac.RoleOrgMember(organization.ID),
 			},
 		})
 		if err != nil {
--- a/coderd/users.go
+++ b/coderd/users.go
@ -1071,7 +1071,11 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 				return xerrors.Errorf("create organization: %w", err)
 			}
 			req.OrganizationID = organization.ID
-			orgRoles = append(orgRoles, rbac.RoleOrgAdmin(req.OrganizationID))
+			// TODO: When organizations are allowed to be created, we should
+			// come back to determining the default role of the person who
+			// creates the org. Until that happens, all users in an organization
+			// should be just regular members.
+			orgRoles = append(orgRoles, rbac.RoleOrgMember(req.OrganizationID))

 			_, err = tx.InsertAllUsersGroup(ctx, organization.ID)
 			if err != nil {
--- a/coderd/users_test.go
+++ b/coderd/users_test.go
@ -817,15 +817,6 @@ func TestGrantSiteRoles(t *testing.T) {
 			Error:        true,
 			StatusCode:   http.StatusForbidden,
 		},
-		{
-			Name:         "MemberAssignMember",
-			Client:       member,
-			OrgID:        first.OrganizationID,
-			AssignToUser: first.UserID.String(),
-			Roles:        []string{},
-			Error:        true,
-			StatusCode:   http.StatusForbidden,
-		},
 		{
 			Name:         "AdminUpdateOrgSelf",
 			Client:       admin,
@ -921,7 +912,7 @@ func TestInitialRoles(t *testing.T) {
 	}, "should be a member and admin")

 	require.ElementsMatch(t, roles.OrganizationRoles[first.OrganizationID], []string{
-		rbac.RoleOrgAdmin(first.OrganizationID),
+		rbac.RoleOrgMember(first.OrganizationID),
 	}, "should be a member and admin")
 }