(t *testing.T)
| 226 | } |
| 227 | |
| 228 | func TestRenderPermissionsResolvesMe(t *testing.T) { |
| 229 | t.Parallel() |
| 230 | |
| 231 | // GIVEN: a site handler wired to a real RBAC authorizer and a |
| 232 | // template that renders only the SSR permissions JSON. |
| 233 | siteFS := fstest.MapFS{ |
| 234 | "index.html": &fstest.MapFile{ |
| 235 | Data: []byte("{{ .Permissions }}"), |
| 236 | }, |
| 237 | } |
| 238 | db, _ := dbtestutil.NewDB(t) |
| 239 | authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry()) |
| 240 | |
| 241 | handler, err := site.New(&site.Options{ |
| 242 | Telemetry: telemetry.NewNoop(), |
| 243 | Database: db, |
| 244 | SiteFS: siteFS, |
| 245 | Authorizer: authorizer, |
| 246 | }) |
| 247 | require.NoError(t, err) |
| 248 | |
| 249 | // GIVEN: a user with the agents-access role at the org level. |
| 250 | org := dbgen.Organization(t, db, database.Organization{}) |
| 251 | userWithRole := dbgen.User(t, db, database.User{}) |
| 252 | dbgen.OrganizationMember(t, db, database.OrganizationMember{ |
| 253 | OrganizationID: org.ID, |
| 254 | UserID: userWithRole.ID, |
| 255 | Roles: []string{rbac.RoleAgentsAccess()}, |
| 256 | }) |
| 257 | _, tokenWithRole := dbgen.APIKey(t, db, database.APIKey{ |
| 258 | UserID: userWithRole.ID, |
| 259 | ExpiresAt: time.Now().Add(time.Hour), |
| 260 | }) |
| 261 | |
| 262 | // WHEN: the user loads the page. |
| 263 | r := httptest.NewRequest("GET", "/", nil) |
| 264 | r.Header.Set(codersdk.SessionTokenHeader, tokenWithRole) |
| 265 | rw := httptest.NewRecorder() |
| 266 | handler.ServeHTTP(rw, r) |
| 267 | require.Equal(t, http.StatusOK, rw.Code) |
| 268 | |
| 269 | // THEN: the SSR-rendered permissions include createChat = true |
| 270 | // because the agents-access role grants org-scoped chat create |
| 271 | // permission, and the any_org check picks it up. |
| 272 | var permsWithRole codersdk.AuthorizationResponse |
| 273 | err = json.Unmarshal([]byte(html.UnescapeString(rw.Body.String())), &permsWithRole) |
| 274 | require.NoError(t, err) |
| 275 | assert.True(t, permsWithRole["createChat"], "user with agents-access role should have createChat = true") |
| 276 | |
| 277 | // GIVEN: a user without the agents-access role. |
| 278 | userWithoutRole := dbgen.User(t, db, database.User{}) |
| 279 | _, tokenWithoutRole := dbgen.APIKey(t, db, database.APIKey{ |
| 280 | UserID: userWithoutRole.ID, |
| 281 | ExpiresAt: time.Now().Add(time.Hour), |
| 282 | }) |
| 283 | |
| 284 | // WHEN: the user loads the page. |
| 285 | r = httptest.NewRequest("GET", "/", nil) |
nothing calls this directly
no test coverage detected