◐ Shell
clean mode source ↗

fix(coderd): prevent user-admin from resetting owner password (#25709… · coder/coder@931d4fa

@@ -1572,6 +1572,57 @@ func TestUpdateUserPassword(t *testing.T) {

15721572

require.Equal(t, http.StatusNotFound, cerr.StatusCode())

15731573

})

157415741575+

t.Run("UserAdminCannotResetOwnerPassword", func(t *testing.T) {

1576+

t.Parallel()

1577+

client := coderdtest.New(t, nil)

1578+

owner := coderdtest.CreateFirstUser(t, client)

1579+

userAdmin, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.RoleUserAdmin())

1580+1581+

ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)

1582+

defer cancel()

1583+1584+

err := userAdmin.UpdateUserPassword(ctx, owner.UserID.String(), codersdk.UpdateUserPasswordRequest{

1585+

Password: "SomeNewStrongPassword!",

1586+

})

1587+

require.Error(t, err, "user-admin should not be able to reset owner password")

1588+

var apiErr *codersdk.Error

1589+

require.ErrorAs(t, err, &apiErr)

1590+

require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())

1591+

require.Contains(t, apiErr.Message, "Only owners can change the password of an owner")

1592+

})

1593+1594+

t.Run("OwnerCanResetOwnerPassword", func(t *testing.T) {

1595+

t.Parallel()

1596+

client := coderdtest.New(t, nil)

1597+

owner := coderdtest.CreateFirstUser(t, client)

1598+1599+

ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)

1600+

defer cancel()

1601+1602+

anotherOwner, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{

1603+

Email: "another-owner@coder.com",

1604+

Username: "another-owner",

1605+

Password: "SomeStrongPassword!",

1606+

OrganizationIDs: []uuid.UUID{owner.OrganizationID},

1607+

})

1608+

require.NoError(t, err)

1609+

_, err = client.UpdateUserRoles(ctx, anotherOwner.ID.String(), codersdk.UpdateRoles{

1610+

Roles: []string{rbac.RoleOwner().String()},

1611+

})

1612+

require.NoError(t, err)

1613+1614+

err = client.UpdateUserPassword(ctx, anotherOwner.ID.String(), codersdk.UpdateUserPasswordRequest{

1615+

Password: "SomeNewStrongPassword!",

1616+

})

1617+

require.NoError(t, err, "owner should be able to reset another owner's password")

1618+1619+

_, err = client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{

1620+

Email: "another-owner@coder.com",

1621+

Password: "SomeNewStrongPassword!",

1622+

})

1623+

require.NoError(t, err, "other owner should login with the new password")

1624+

})

1625+15751626

t.Run("PasswordsMustDiffer", func(t *testing.T) {

15761627

t.Parallel()

15771628