fix: don't require organization_id in body when updating a custom role

aslilac · aslilac · commit de9c2e9eed25 · 2024-08-01T22:10:11.000Z
diff --git a/cli/organizationroles.go b/cli/organizationroles.go
@@ -203,7 +203,7 @@ func (r *RootCmd) editOrganizationRole(orgContext *OrganizationContext) *serpent
 				// Do not actually post
 				updated = customRole
 			} else {
-				updated, err = client.PatchOrganizationRole(ctx, org.ID, customRole)
+				updated, err = client.PatchOrganizationRole(ctx, customRole)
 				if err != nil {
 					return xerrors.Errorf("patch role: %w", err)
 				}
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -20,12 +20,12 @@ import (
 // roles. Ideally only included in the enterprise package, but the routes are
 // intermixed with AGPL endpoints.
 type CustomRoleHandler interface {
-	PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool)
+	PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.PatchRoleRequest) (codersdk.Role, bool)
 }
 
 type agplCustomRoleHandler struct{}
 
-func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, _ *http.Request, _ uuid.UUID, _ codersdk.Role) (codersdk.Role, bool) {
+func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, _ *http.Request, _ uuid.UUID, _ codersdk.PatchRoleRequest) (codersdk.Role, bool) {
 	httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 		Message: "Creating and updating custom roles is an Enterprise feature. Contact sales!",
 	})
@@ -49,7 +49,7 @@ func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
 		organization = httpmw.OrganizationParam(r)
 	)
 
-	var req codersdk.Role
+	var req codersdk.PatchRoleRequest
 	if !httpapi.Read(ctx, rw, r, &req) {
 		return
 	}
diff --git a/codersdk/roles.go b/codersdk/roles.go
@@ -61,6 +61,16 @@ type Role struct {
 	UserPermissions         []Permission `json:"user_permissions" table:"user_permissions"`
 }
 
+// Role is a longer form of SlimRole used to edit custom roles.
+type PatchRoleRequest struct {
+	Name            string       `json:"name" table:"name,default_sort" validate:"username"`
+	DisplayName     string       `json:"display_name" table:"display_name"`
+	SitePermissions []Permission `json:"site_permissions" table:"site_permissions"`
+	// OrganizationPermissions are specific to the organization the role belongs to.
+	OrganizationPermissions []Permission `json:"organization_permissions" table:"organization_permissions"`
+	UserPermissions         []Permission `json:"user_permissions" table:"user_permissions"`
+}
+
 // FullName returns the role name scoped to the organization ID. This is useful if
 // printing a set of roles from different scopes, as duplicated names across multiple
 // scopes will become unique.
@@ -73,18 +83,26 @@ func (r Role) FullName() string {
 }
 
 // PatchOrganizationRole will upsert a custom organization role
-func (c *Client) PatchOrganizationRole(ctx context.Context, organizationID uuid.UUID, req Role) (Role, error) {
+func (c *Client) PatchOrganizationRole(ctx context.Context, role Role) (Role, error) {
+	req := PatchRoleRequest{
+		Name:                    role.Name,
+		DisplayName:             role.DisplayName,
+		SitePermissions:         role.SitePermissions,
+		OrganizationPermissions: role.OrganizationPermissions,
+		UserPermissions:         role.UserPermissions,
+	}
+
 	res, err := c.Request(ctx, http.MethodPatch,
-		fmt.Sprintf("/api/v2/organizations/%s/members/roles", organizationID.String()), req)
+		fmt.Sprintf("/api/v2/organizations/%s/members/roles", role.OrganizationID), req)
 	if err != nil {
 		return Role{}, err
 	}
 	defer res.Body.Close()
 	if res.StatusCode != http.StatusOK {
 		return Role{}, ReadBodyAsError(res)
 	}
-	var role Role
-	return role, json.NewDecoder(res.Body).Decode(&role)
+	var r Role
+	return r, json.NewDecoder(res.Body).Decode(&r)
 }
 
 // ListSiteRoles lists all assignable site wide roles.
diff --git a/enterprise/coderd/roles.go b/enterprise/coderd/roles.go
@@ -21,7 +21,7 @@ type enterpriseCustomRoleHandler struct {
 	Enabled bool
 }
 
-func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool) {
+func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.PatchRoleRequest) (codersdk.Role, bool) {
 	if !h.Enabled {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 			Message: "Custom roles are not enabled",
@@ -77,14 +77,6 @@ func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context,
 		return codersdk.Role{}, false
 	}
 
-	if role.OrganizationID != orgID.String() {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Invalid request, organization in role and url must match",
-			Detail:  fmt.Sprintf("role organization=%q does not match URL=%q", role.OrganizationID, orgID.String()),
-		})
-		return codersdk.Role{}, false
-	}
-
 	originalRoles, err := db.CustomRoles(ctx, database.CustomRolesParams{
 		LookupRoles: []database.NameOrganizationPair{
 			{

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ func (r RootCmd) editOrganizationRole(orgContext OrganizationContext) *serpent`
`203`	`203`	`// Do not actually post`
`204`	`204`	`updated = customRole`
`205`	`205`	`} else {`
`206`		`- updated, err = client.PatchOrganizationRole(ctx, org.ID, customRole)`
	`206`	`+ updated, err = client.PatchOrganizationRole(ctx, customRole)`
`207`	`207`	`if err != nil {`
`208`	`208`	`return xerrors.Errorf("patch role: %w", err)`
`209`	`209`	`}`