@ -226,7 +226,7 @@ func TestOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
t . Run ( test . desc , func ( t * testing . T ) { t . Run ( test . desc , func ( t * testing . T ) {
sc := setupHTTPServer ( t , true , true ) sc := setupHTTPServer ( t , true , true )
setInitCtxSignedInViewer ( sc . initCtx ) setInitCtxSignedInViewer ( sc . initCtx )
setAccessControlPermissions ( sc . acmock , test . permissions , sc . initCtx . OrgId ) setAccessControlPermissions ( sc . acmock , test . permissions , sc . initCtx . OrgID )
response := callAPI ( sc . server , http . MethodGet , test . url , nil , t ) response := callAPI ( sc . server , http . MethodGet , test . url , nil , t )
assert . Equal ( t , test . expectedCode , response . Code ) assert . Equal ( t , test . expectedCode , response . Code )
@ -236,8 +236,8 @@ func TestOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
var ( var (
testServerAdminViewer = user . SignedInUser { testServerAdminViewer = user . SignedInUser {
UserId : 1 , UserID : 1 ,
OrgId : 1 , OrgID : 1 ,
OrgName : "TestOrg1" , OrgName : "TestOrg1" ,
OrgRole : org . RoleViewer , OrgRole : org . RoleViewer ,
Login : "testServerAdmin" , Login : "testServerAdmin" ,
@ -249,8 +249,8 @@ var (
} }
testAdminOrg2 = user . SignedInUser { testAdminOrg2 = user . SignedInUser {
UserId : 2 , UserID : 2 ,
OrgId : 2 , OrgID : 2 ,
OrgName : "TestOrg2" , OrgName : "TestOrg2" ,
OrgRole : org . RoleAdmin , OrgRole : org . RoleAdmin ,
Login : "testAdmin" , Login : "testAdmin" ,
@ -262,8 +262,8 @@ var (
} }
testEditorOrg1 = user . SignedInUser { testEditorOrg1 = user . SignedInUser {
UserId : 3 , UserID : 3 ,
OrgId : 1 , OrgID : 1 ,
OrgName : "TestOrg1" , OrgName : "TestOrg1" ,
OrgRole : org . RoleEditor , OrgRole : org . RoleEditor ,
Login : "testEditor" , Login : "testEditor" ,
@ -291,14 +291,14 @@ func setupOrgUsersDBForAccessControlTests(t *testing.T, db sqlstore.Store) {
require . NoError ( t , err ) require . NoError ( t , err )
// Create both orgs with server admin
// Create both orgs with server admin
_ , err = db . CreateOrgWithMember ( testServerAdminViewer . OrgName , testServerAdminViewer . UserId ) _ , err = db . CreateOrgWithMember ( testServerAdminViewer . OrgName , testServerAdminViewer . UserID )
require . NoError ( t , err ) require . NoError ( t , err )
_ , err = db . CreateOrgWithMember ( testAdminOrg2 . OrgName , testServerAdminViewer . UserId ) _ , err = db . CreateOrgWithMember ( testAdminOrg2 . OrgName , testServerAdminViewer . UserID )
require . NoError ( t , err ) require . NoError ( t , err )
err = db . AddOrgUser ( context . Background ( ) , & models . AddOrgUserCommand { LoginOrEmail : testAdminOrg2 . Login , Role : testAdminOrg2 . OrgRole , OrgId : testAdminOrg2 . OrgId , UserId : testAdminOrg2 . UserId } ) err = db . AddOrgUser ( context . Background ( ) , & models . AddOrgUserCommand { LoginOrEmail : testAdminOrg2 . Login , Role : testAdminOrg2 . OrgRole , OrgId : testAdminOrg2 . OrgID , UserId : testAdminOrg2 . UserID } )
require . NoError ( t , err ) require . NoError ( t , err )
err = db . AddOrgUser ( context . Background ( ) , & models . AddOrgUserCommand { LoginOrEmail : testEditorOrg1 . Login , Role : testEditorOrg1 . OrgRole , OrgId : testEditorOrg1 . OrgId , UserId : testEditorOrg1 . UserId } ) err = db . AddOrgUser ( context . Background ( ) , & models . AddOrgUserCommand { LoginOrEmail : testEditorOrg1 . Login , Role : testEditorOrg1 . OrgRole , OrgId : testEditorOrg1 . OrgID , UserId : testEditorOrg1 . UserID } )
require . NoError ( t , err ) require . NoError ( t , err )
} }
@ -320,7 +320,7 @@ func TestGetOrgUsersAPIEndpoint_AccessControlMetadata(t *testing.T) {
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMetadata : nil , expectedMetadata : nil ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
} , } ,
{ {
name : "access control metadata requested" , name : "access control metadata requested" ,
@ -332,7 +332,7 @@ func TestGetOrgUsersAPIEndpoint_AccessControlMetadata(t *testing.T) {
"org.users:read" : true , "org.users:read" : true ,
"org.users:remove" : true } , "org.users:remove" : true } ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
} , } ,
} }
@ -377,7 +377,7 @@ func TestGetOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedUserCount : 2 , expectedUserCount : 2 ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
} , } ,
{ {
name : "server admin can get users in another org (legacy)" , name : "server admin can get users in another org (legacy)" ,
@ -392,7 +392,7 @@ func TestGetOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
enableAccessControl : false , enableAccessControl : false ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
} , } ,
{ {
name : "org admin cannot get users in another org (legacy)" , name : "org admin cannot get users in another org (legacy)" ,
@ -407,7 +407,7 @@ func TestGetOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedUserCount : 2 , expectedUserCount : 2 ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
} , } ,
{ {
name : "server admin can get users in another org" , name : "server admin can get users in another org" ,
@ -423,7 +423,7 @@ func TestGetOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedUserCount : 2 , expectedUserCount : 2 ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
} , } ,
{ {
name : "org admin cannot get users in another org" , name : "org admin cannot get users in another org" ,
@ -470,7 +470,7 @@ func TestPostOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can add users to his org (legacy)" , name : "server admin can add users to his org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
input : ` { "loginOrEmail": " ` + testAdminOrg2 . Login + ` ", "role": " ` + string ( testAdminOrg2 . OrgRole ) + ` "} ` , input : ` { "loginOrEmail": " ` + testAdminOrg2 . Login + ` ", "role": " ` + string ( testAdminOrg2 . OrgRole ) + ` "} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
} , } ,
@ -487,7 +487,7 @@ func TestPostOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
enableAccessControl : false , enableAccessControl : false ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
input : ` { "loginOrEmail": " ` + testEditorOrg1 . Login + ` ", "role": " ` + string ( testEditorOrg1 . OrgRole ) + ` "} ` , input : ` { "loginOrEmail": " ` + testEditorOrg1 . Login + ` ", "role": " ` + string ( testEditorOrg1 . OrgRole ) + ` "} ` ,
} , } ,
{ {
@ -502,7 +502,7 @@ func TestPostOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can add users to his org" , name : "server admin can add users to his org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
input : ` { "loginOrEmail": " ` + testAdminOrg2 . Login + ` ", "role": " ` + string ( testAdminOrg2 . OrgRole ) + ` "} ` , input : ` { "loginOrEmail": " ` + testAdminOrg2 . Login + ` ", "role": " ` + string ( testAdminOrg2 . OrgRole ) + ` "} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
} , } ,
@ -518,7 +518,7 @@ func TestPostOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin can add users to his org" , name : "org admin can add users to his org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
input : ` { "loginOrEmail": " ` + testEditorOrg1 . Login + ` ", "role": " ` + string ( testEditorOrg1 . OrgRole ) + ` "} ` , input : ` { "loginOrEmail": " ` + testEditorOrg1 . Login + ` ", "role": " ` + string ( testEditorOrg1 . OrgRole ) + ` "} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
} , } ,
@ -555,7 +555,7 @@ func TestPostOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
require . NoError ( t , err ) require . NoError ( t , err )
getUsersQuery := models . GetOrgUsersQuery { OrgId : tc . targetOrg , User : & user . SignedInUser { getUsersQuery := models . GetOrgUsersQuery { OrgId : tc . targetOrg , User : & user . SignedInUser {
OrgId : tc . targetOrg , OrgID : tc . targetOrg ,
Permissions : map [ int64 ] map [ string ] [ ] string { tc . targetOrg : { "org.users:read" : { "users:*" } } } , Permissions : map [ int64 ] map [ string ] [ ] string { tc . targetOrg : { "org.users:read" : { "users:*" } } } ,
} } } }
err = sc . db . GetOrgUsers ( context . Background ( ) , & getUsersQuery ) err = sc . db . GetOrgUsers ( context . Background ( ) , & getUsersQuery )
@ -610,7 +610,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
{ {
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
desc : "org viewer with the correct permissions can update a user's role to a viewer in his org" , desc : "org viewer with the correct permissions can update a user's role to a viewer in his org" ,
url : fmt . Sprintf ( "/api/org/users/%d" , testEditorOrg1 . UserId ) , url : fmt . Sprintf ( "/api/org/users/%d" , testEditorOrg1 . UserID ) ,
method : http . MethodPatch , method : http . MethodPatch ,
permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } , permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } ,
input : ` { "role": " ` + string ( org . RoleViewer ) + ` "} ` , input : ` { "role": " ` + string ( org . RoleViewer ) + ` "} ` ,
@ -618,7 +618,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
{ {
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
desc : "org viewer with the correct permissions cannot update a user's role to a viewer in his org" , desc : "org viewer with the correct permissions cannot update a user's role to a viewer in his org" ,
url : fmt . Sprintf ( "/api/org/users/%d" , testEditorOrg1 . UserId ) , url : fmt . Sprintf ( "/api/org/users/%d" , testEditorOrg1 . UserID ) ,
method : http . MethodPatch , method : http . MethodPatch ,
permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } , permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } ,
input : ` { "role": " ` + string ( org . RoleEditor ) + ` "} ` , input : ` { "role": " ` + string ( org . RoleEditor ) + ` "} ` ,
@ -626,7 +626,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
{ {
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
desc : "org viewer with the correct permissions can update a user's role to a viewer in his org" , desc : "org viewer with the correct permissions can update a user's role to a viewer in his org" ,
url : fmt . Sprintf ( "/api/orgs/1/users/%d" , testEditorOrg1 . UserId ) , url : fmt . Sprintf ( "/api/orgs/1/users/%d" , testEditorOrg1 . UserID ) ,
method : http . MethodPatch , method : http . MethodPatch ,
permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } , permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } ,
input : ` { "role": " ` + string ( org . RoleViewer ) + ` "} ` , input : ` { "role": " ` + string ( org . RoleViewer ) + ` "} ` ,
@ -634,7 +634,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
{ {
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
desc : "org viewer with the correct permissions cannot update a user's role to a viewer in his org" , desc : "org viewer with the correct permissions cannot update a user's role to a viewer in his org" ,
url : fmt . Sprintf ( "/api/orgs/1/users/%d" , testEditorOrg1 . UserId ) , url : fmt . Sprintf ( "/api/orgs/1/users/%d" , testEditorOrg1 . UserID ) ,
method : http . MethodPatch , method : http . MethodPatch ,
permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } , permissions : [ ] accesscontrol . Permission { { Action : accesscontrol . ActionOrgUsersWrite , Scope : accesscontrol . ScopeUsersAll } } ,
input : ` { "role": " ` + string ( org . RoleEditor ) + ` "} ` , input : ` { "role": " ` + string ( org . RoleEditor ) + ` "} ` ,
@ -665,7 +665,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
sc . hs . userService = userService sc . hs . userService = userService
setInitCtxSignedInViewer ( sc . initCtx ) setInitCtxSignedInViewer ( sc . initCtx )
setupOrgUsersDBForAccessControlTests ( t , sc . db ) setupOrgUsersDBForAccessControlTests ( t , sc . db )
setAccessControlPermissions ( sc . acmock , test . permissions , sc . initCtx . OrgId ) setAccessControlPermissions ( sc . acmock , test . permissions , sc . initCtx . OrgID )
input := strings . NewReader ( test . input ) input := strings . NewReader ( test . input )
response := callAPI ( sc . server , test . method , test . url , input , t ) response := callAPI ( sc . server , test . method , test . url , input , t )
@ -693,8 +693,8 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can update users in his org (legacy)" , name : "server admin can update users in his org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testEditorOrg1 . UserId , targetUserId : testEditorOrg1 . UserID ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
input : ` { "role": "Viewer"} ` , input : ` { "role": "Viewer"} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "Organization user updated" } , expectedMessage : util . DynMap { "message" : "Organization user updated" } ,
@ -704,7 +704,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can update users in another org (legacy)" , name : "server admin can update users in another org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : 2 , targetOrg : 2 ,
input : ` { "role": "Editor"} ` , input : ` { "role": "Editor"} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
@ -715,8 +715,8 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin cannot update users in his org (legacy)" , name : "org admin cannot update users in his org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
input : ` { "role": "Editor"} ` , input : ` { "role": "Editor"} ` ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
} , } ,
@ -724,7 +724,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin cannot update users in another org (legacy)" , name : "org admin cannot update users in another org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : 1 , targetOrg : 1 ,
input : ` { "role": "Editor"} ` , input : ` { "role": "Editor"} ` ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
@ -733,8 +733,8 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can update users in his org" , name : "server admin can update users in his org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testEditorOrg1 . UserId , targetUserId : testEditorOrg1 . UserID ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
input : ` { "role": "Viewer"} ` , input : ` { "role": "Viewer"} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "Organization user updated" } , expectedMessage : util . DynMap { "message" : "Organization user updated" } ,
@ -744,7 +744,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can update users in another org" , name : "server admin can update users in another org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : 2 , targetOrg : 2 ,
input : ` { "role": "Editor"} ` , input : ` { "role": "Editor"} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
@ -755,8 +755,8 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin can update users in his org" , name : "org admin can update users in his org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
input : ` { "role": "Editor"} ` , input : ` { "role": "Editor"} ` ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "Organization user updated" } , expectedMessage : util . DynMap { "message" : "Organization user updated" } ,
@ -766,7 +766,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin cannot update users in another org" , name : "org admin cannot update users in another org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : 1 , targetOrg : 1 ,
input : ` { "role": "Editor"} ` , input : ` { "role": "Editor"} ` ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
@ -821,8 +821,8 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can delete users from his org (legacy)" , name : "server admin can delete users from his org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testEditorOrg1 . UserId , targetUserId : testEditorOrg1 . UserID ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "User removed from organization" } , expectedMessage : util . DynMap { "message" : "User removed from organization" } ,
expectedUserCount : 1 , expectedUserCount : 1 ,
@ -831,7 +831,7 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can delete users from another org (legacy)" , name : "server admin can delete users from another org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : 2 , targetOrg : 2 ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "User removed from organization" } , expectedMessage : util . DynMap { "message" : "User removed from organization" } ,
@ -841,15 +841,15 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin can delete users from his org (legacy)" , name : "org admin can delete users from his org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
} , } ,
{ {
name : "org admin cannot delete users from another org (legacy)" , name : "org admin cannot delete users from another org (legacy)" ,
enableAccessControl : false , enableAccessControl : false ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testEditorOrg1 . UserId , targetUserId : testEditorOrg1 . UserID ,
targetOrg : 1 , targetOrg : 1 ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
} , } ,
@ -857,8 +857,8 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can delete users from his org" , name : "server admin can delete users from his org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testEditorOrg1 . UserId , targetUserId : testEditorOrg1 . UserID ,
targetOrg : testServerAdminViewer . OrgId , targetOrg : testServerAdminViewer . OrgID ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "User removed from organization" } , expectedMessage : util . DynMap { "message" : "User removed from organization" } ,
expectedUserCount : 1 , expectedUserCount : 1 ,
@ -867,7 +867,7 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "server admin can delete users from another org" , name : "server admin can delete users from another org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testServerAdminViewer , user : testServerAdminViewer ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : 2 , targetOrg : 2 ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "User removed from organization" } , expectedMessage : util . DynMap { "message" : "User removed from organization" } ,
@ -877,8 +877,8 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin can delete users from his org" , name : "org admin can delete users from his org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testServerAdminViewer . UserId , targetUserId : testServerAdminViewer . UserID ,
targetOrg : testAdminOrg2 . OrgId , targetOrg : testAdminOrg2 . OrgID ,
expectedCode : http . StatusOK , expectedCode : http . StatusOK ,
expectedMessage : util . DynMap { "message" : "User removed from organization" } , expectedMessage : util . DynMap { "message" : "User removed from organization" } ,
expectedUserCount : 1 , expectedUserCount : 1 ,
@ -887,7 +887,7 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
name : "org admin cannot delete users from another org" , name : "org admin cannot delete users from another org" ,
enableAccessControl : true , enableAccessControl : true ,
user : testAdminOrg2 , user : testAdminOrg2 ,
targetUserId : testEditorOrg1 . UserId , targetUserId : testEditorOrg1 . UserID ,
targetOrg : 1 , targetOrg : 1 ,
expectedCode : http . StatusForbidden , expectedCode : http . StatusForbidden ,
} , } ,
@ -911,7 +911,7 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
getUsersQuery := models . GetOrgUsersQuery { getUsersQuery := models . GetOrgUsersQuery {
OrgId : tc . targetOrg , OrgId : tc . targetOrg ,
User : & user . SignedInUser { User : & user . SignedInUser {
OrgId : tc . targetOrg , OrgID : tc . targetOrg ,
Permissions : map [ int64 ] map [ string ] [ ] string { tc . targetOrg : { accesscontrol . ActionOrgUsersRead : { accesscontrol . ScopeUsersAll } } } , Permissions : map [ int64 ] map [ string ] [ ] string { tc . targetOrg : { accesscontrol . ActionOrgUsersRead : { accesscontrol . ScopeUsersAll } } } ,
} , } ,
} }
idafurjes
3 years ago
committed by