Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Manage Permissions to Team Organization Access #874

Merged
merged 6 commits into from May 1, 2024
Merged

Add Manage Permissions to Team Organization Access #874

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8aef054
Add manage permissions to team org access
juliannatetreault Mar 21, 2024
b24865a
Update changelog
juliannatetreault Mar 25, 2024
5382e02
Update changelog post-rebase
juliannatetreault Apr 17, 2024
79c5441
Update changelog entry
juliannatetreault Apr 24, 2024
121da84
Updates the OrganizationAccessOptions struct
juliannatetreault Apr 24, 2024
86d24e4
Updates granular permission tests in team_integration_test.go
juliannatetreault May 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
@@ -1,4 +1,5 @@
# Unreleased
* Adds `ManageTeams`, `ManageOrganizationAccess`, and `AccessSecretTeams` permissions to team `OrganizationAccess` by @juliannatetreault [#874](https://github.com/hashicorp/go-tfe/pull/874)

# v1.52.0

Expand Down
50 changes: 28 additions & 22 deletions team.go
View file
Open in desktop
Expand Up @@ -61,17 +61,20 @@ type Team struct {

// OrganizationAccess represents the team's permissions on its organization
type OrganizationAccess struct {
ManagePolicies bool `jsonapi:"attr,manage-policies"`
ManagePolicyOverrides bool `jsonapi:"attr,manage-policy-overrides"`
ManageWorkspaces bool `jsonapi:"attr,manage-workspaces"`
ManageVCSSettings bool `jsonapi:"attr,manage-vcs-settings"`
ManageProviders bool `jsonapi:"attr,manage-providers"`
ManageModules bool `jsonapi:"attr,manage-modules"`
ManageRunTasks bool `jsonapi:"attr,manage-run-tasks"`
ManageProjects bool `jsonapi:"attr,manage-projects"`
ReadWorkspaces bool `jsonapi:"attr,read-workspaces"`
ReadProjects bool `jsonapi:"attr,read-projects"`
ManageMembership bool `jsonapi:"attr,manage-membership"`
ManagePolicies bool `jsonapi:"attr,manage-policies"`
ManagePolicyOverrides bool `jsonapi:"attr,manage-policy-overrides"`
ManageWorkspaces bool `jsonapi:"attr,manage-workspaces"`
ManageVCSSettings bool `jsonapi:"attr,manage-vcs-settings"`
ManageProviders bool `jsonapi:"attr,manage-providers"`
ManageModules bool `jsonapi:"attr,manage-modules"`
ManageRunTasks bool `jsonapi:"attr,manage-run-tasks"`
ManageProjects bool `jsonapi:"attr,manage-projects"`
ReadWorkspaces bool `jsonapi:"attr,read-workspaces"`
ReadProjects bool `jsonapi:"attr,read-projects"`
ManageMembership bool `jsonapi:"attr,manage-membership"`
ManageTeams bool `jsonapi:"attr,manage-teams"`
ManageOrganizationAccess bool `jsonapi:"attr,manage-organization-access"`
AccessSecretTeams bool `jsonapi:"attr,access-secret-teams"`
}

// TeamPermissions represents the current user's permissions on the team.
Expand Down Expand Up @@ -147,17 +150,20 @@ type TeamUpdateOptions struct {

// OrganizationAccessOptions represents the organization access options of a team.
type OrganizationAccessOptions struct {
ManagePolicies *bool `json:"manage-policies,omitempty"`
ManagePolicyOverrides *bool `json:"manage-policy-overrides,omitempty"`
ManageWorkspaces *bool `json:"manage-workspaces,omitempty"`
ManageVCSSettings *bool `json:"manage-vcs-settings,omitempty"`
ManageProviders *bool `json:"manage-providers,omitempty"`
ManageModules *bool `json:"manage-modules,omitempty"`
ManageRunTasks *bool `json:"manage-run-tasks,omitempty"`
ManageProjects *bool `json:"manage-projects,omitempty"`
ReadWorkspaces *bool `json:"read-workspaces,omitempty"`
ReadProjects *bool `json:"read-projects,omitempty"`
ManageMembership *bool `json:"manage-membership,omitempty"`
ManagePolicies *bool `json:"manage-policies,omitempty"`
ManagePolicyOverrides *bool `json:"manage-policy-overrides,omitempty"`
ManageWorkspaces *bool `json:"manage-workspaces,omitempty"`
ManageVCSSettings *bool `json:"manage-vcs-settings,omitempty"`
ManageProviders *bool `json:"manage-providers,omitempty"`
ManageModules *bool `json:"manage-modules,omitempty"`
ManageRunTasks *bool `json:"manage-run-tasks,omitempty"`
ManageProjects *bool `json:"manage-projects,omitempty"`
ReadWorkspaces *bool `json:"read-workspaces,omitempty"`
ReadProjects *bool `json:"read-projects,omitempty"`
ManageMembership *bool `json:"manage-membership,omitempty"`
ManageTeams *bool `json:"manage-teams,omitempty"`
ManageOrganizationAccess *bool `json:"manage-organization-access,omitempty"`
AccessSecretTeams *bool `json:"access-secret-teams,omitempty"`
}

// List all the teams of the given organization.
Expand Down
129 changes: 129 additions & 0 deletions team_integration_test.go
View file
Open in desktop
Expand Up @@ -482,3 +482,132 @@ func TestTeamsUpdateManageManageMembership(t *testing.T) {
originalTeamAccess.ManageMembership = true
assert.Equal(t, originalTeamAccess, refreshed.OrganizationAccess)
}

func TestTeamsUpdateManageTeams(t *testing.T) {
client := testClient(t)
ctx := context.Background()

orgTest, orgTestCleanup := createOrganization(t, client)
defer orgTestCleanup()

tmTest, tmTestCleanup := createTeam(t, client, orgTest)
defer tmTestCleanup()

teamRead, err := client.Teams.Read(ctx, tmTest.ID)
require.NoError(t, err)
assert.False(t, teamRead.OrganizationAccess.ManageTeams, "manage teams is false by default")

originalTeamAccess := teamRead.OrganizationAccess

options := TeamUpdateOptions{
OrganizationAccess: &OrganizationAccessOptions{
// **Note: ManageTeams requires ManageMembership.**
ManageMembership: Bool(true),
ManageTeams: Bool(true),
},
}

tm, err := client.Teams.Update(ctx, tmTest.ID, options)
require.NoError(t, err)
assert.True(t, tm.OrganizationAccess.ManageMembership)
assert.True(t, tm.OrganizationAccess.ManageTeams)

refreshed, err := client.Teams.Read(ctx, tmTest.ID)
require.NoError(t, err)
assert.True(t, refreshed.OrganizationAccess.ManageMembership)
assert.True(t, refreshed.OrganizationAccess.ManageTeams)

// Check that other org access fields are not updated
originalTeamAccess.ManageMembership = true
originalTeamAccess.ManageTeams = true
assert.Equal(t, originalTeamAccess, refreshed.OrganizationAccess)
}

func TestTeamsUpdateManageOrganizationAccess(t *testing.T) {
client := testClient(t)
ctx := context.Background()

orgTest, orgTestCleanup := createOrganization(t, client)
defer orgTestCleanup()

tmTest, tmTestCleanup := createTeam(t, client, orgTest)
defer tmTestCleanup()

teamRead, err := client.Teams.Read(ctx, tmTest.ID)
require.NoError(t, err)
assert.False(t, teamRead.OrganizationAccess.ManageOrganizationAccess, "manage organization access is false by default")

originalTeamAccess := teamRead.OrganizationAccess

options := TeamUpdateOptions{
OrganizationAccess: &OrganizationAccessOptions{
// **Note: ManageOrganizationAccess requires ManageMembership and ManageTeams.**
ManageMembership: Bool(true),
ManageTeams: Bool(true),
ManageOrganizationAccess: Bool(true),
},
}

tm, err := client.Teams.Update(ctx, tmTest.ID, options)
require.NoError(t, err)
assert.True(t, tm.OrganizationAccess.ManageMembership)
assert.True(t, tm.OrganizationAccess.ManageTeams)
assert.True(t, tm.OrganizationAccess.ManageOrganizationAccess)

refreshed, err := client.Teams.Read(ctx, tmTest.ID)
require.NoError(t, err)
assert.True(t, refreshed.OrganizationAccess.ManageMembership)
assert.True(t, refreshed.OrganizationAccess.ManageTeams)
assert.True(t, refreshed.OrganizationAccess.ManageOrganizationAccess)

// Check that other org access fields are not updated
originalTeamAccess.ManageMembership = true
originalTeamAccess.ManageTeams = true
originalTeamAccess.ManageOrganizationAccess = true
assert.Equal(t, originalTeamAccess, refreshed.OrganizationAccess)
}

func TestTeamsUpdateAccessSecretTeams(t *testing.T) {
client := testClient(t)
ctx := context.Background()

orgTest, orgTestCleanup := createOrganization(t, client)
defer orgTestCleanup()

tmTest, tmTestCleanup := createTeam(t, client, orgTest)
defer tmTestCleanup()

teamRead, err := client.Teams.Read(ctx, tmTest.ID)
require.NoError(t, err)
assert.False(t, teamRead.OrganizationAccess.AccessSecretTeams, "access secret teams is false by default")

originalTeamAccess := teamRead.OrganizationAccess

options := TeamUpdateOptions{
OrganizationAccess: &OrganizationAccessOptions{
// **Note: AccessSecretTeams requires at least one granular permission to be set
// for it to be set, and ManageTeams requires ManageMembership.**
ManageMembership: Bool(true),
ManageTeams: Bool(true),
AccessSecretTeams: Bool(true),
},
}

tm, err := client.Teams.Update(ctx, tmTest.ID, options)
require.NoError(t, err)
assert.True(t, tm.OrganizationAccess.ManageMembership)
assert.True(t, tm.OrganizationAccess.ManageTeams)
assert.True(t, tm.OrganizationAccess.AccessSecretTeams)

refreshed, err := client.Teams.Read(ctx, tmTest.ID)
require.NoError(t, err)
assert.True(t, refreshed.OrganizationAccess.ManageMembership)
assert.True(t, refreshed.OrganizationAccess.ManageTeams)
assert.True(t, refreshed.OrganizationAccess.AccessSecretTeams)

// Check that other org access fields are not updated
originalTeamAccess.ManageMembership = true
originalTeamAccess.ManageTeams = true
originalTeamAccess.AccessSecretTeams = true
assert.Equal(t, originalTeamAccess, refreshed.OrganizationAccess)
}