◐ Shell
clean mode source ↗

fix(coderd): prevent user-admin from resetting owner password (#25709… · coder/coder@f15a934

@@ -1571,6 +1571,57 @@ func TestUpdateUserPassword(t *testing.T) {

15711571

require.Equal(t, http.StatusNotFound, cerr.StatusCode())

15721572

})

157315731574+

t.Run("UserAdminCannotResetOwnerPassword", func(t *testing.T) {

1575+

t.Parallel()

1576+

client := coderdtest.New(t, nil)

1577+

owner := coderdtest.CreateFirstUser(t, client)

1578+

userAdmin, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.RoleUserAdmin())

1579+1580+

ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)

1581+

defer cancel()

1582+1583+

err := userAdmin.UpdateUserPassword(ctx, owner.UserID.String(), codersdk.UpdateUserPasswordRequest{

1584+

Password: "SomeNewStrongPassword!",

1585+

})

1586+

require.Error(t, err, "user-admin should not be able to reset owner password")

1587+

var apiErr *codersdk.Error

1588+

require.ErrorAs(t, err, &apiErr)

1589+

require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())

1590+

require.Contains(t, apiErr.Message, "Only owners can change the password of an owner")

1591+

})

1592+1593+

t.Run("OwnerCanResetOwnerPassword", func(t *testing.T) {

1594+

t.Parallel()

1595+

client := coderdtest.New(t, nil)

1596+

owner := coderdtest.CreateFirstUser(t, client)

1597+1598+

ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)

1599+

defer cancel()

1600+1601+

anotherOwner, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{

1602+

Email: "another-owner@coder.com",

1603+

Username: "another-owner",

1604+

Password: "SomeStrongPassword!",

1605+

OrganizationIDs: []uuid.UUID{owner.OrganizationID},

1606+

})

1607+

require.NoError(t, err)

1608+

_, err = client.UpdateUserRoles(ctx, anotherOwner.ID.String(), codersdk.UpdateRoles{

1609+

Roles: []string{rbac.RoleOwner().String()},

1610+

})

1611+

require.NoError(t, err)

1612+1613+

err = client.UpdateUserPassword(ctx, anotherOwner.ID.String(), codersdk.UpdateUserPasswordRequest{

1614+

Password: "SomeNewStrongPassword!",

1615+

})

1616+

require.NoError(t, err, "owner should be able to reset another owner's password")

1617+1618+

_, err = client.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{

1619+

Email: "another-owner@coder.com",

1620+

Password: "SomeNewStrongPassword!",

1621+

})

1622+

require.NoError(t, err, "other owner should login with the new password")

1623+

})

1624+15741625

t.Run("PasswordsMustDiffer", func(t *testing.T) {

15751626

t.Parallel()

15761627