add unit tests for site & user permission attempt

Emyrk · Emyrk · commit c5db3d72e9ed · 2024-05-28T11:22:42.000-05:00
diff --git a/enterprise/coderd/roles_test.go b/enterprise/coderd/roles_test.go
@@ -230,4 +230,47 @@ func TestCustomOrganizationRole(t *testing.T) {
 		_, err := owner.PatchOrganizationRole(ctx, first.OrganizationID, templateAdminCustom(uuid.New()))
 		require.ErrorContains(t, err, "does not match")
 	})
+
+	// Attempt to add site & user permissions, which is not allowed
+	t.Run("ExcessPermissions", func(t *testing.T) {
+		t.Parallel()
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{string(codersdk.ExperimentCustomRoles)}
+		owner, first := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles: 1,
+				},
+			},
+		})
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+
+		siteRole := templateAdminCustom(first.OrganizationID)
+		siteRole.SitePermissions = []codersdk.Permission{
+			{
+				ResourceType: codersdk.ResourceWorkspace,
+				Action:       codersdk.ActionRead,
+			},
+		}
+
+		//nolint:gocritic // owner is required for this
+		_, err := owner.PatchOrganizationRole(ctx, first.OrganizationID, siteRole)
+		require.ErrorContains(t, err, "site wide permissions")
+
+		userRole := templateAdminCustom(first.OrganizationID)
+		userRole.UserPermissions = []codersdk.Permission{
+			{
+				ResourceType: codersdk.ResourceWorkspace,
+				Action:       codersdk.ActionRead,
+			},
+		}
+
+		//nolint:gocritic // owner is required for this
+		_, err = owner.PatchOrganizationRole(ctx, first.OrganizationID, userRole)
+		require.ErrorContains(t, err, "not allowed to assign user permissions")
+	})
 }
