feat: remove user from groups on org membership delete (#14701)

* feat: remove user from groups on org membership delete Groups inherently provide authz access to certain resources. If a user is removed from an organization, they should be removed from all their groups in said organization.
2026-06-02 20:48:20 +00:00 · 2024-09-17 19:41:34 -05:00
parent c145f113fe
commit 1e5438eadb
6 changed files with 196 additions and 1 deletions
@@ -29,6 +29,7 @@ func TestEnterpriseMembers(t *testing.T) {
 			LicenseOptions: &coderdenttest.LicenseOptions{
 				Features: license.Features{
 					codersdk.FeatureMultipleOrganizations: 1,
+					codersdk.FeatureTemplateRBAC:          1,
 				},
 			},
 		})
@@ -39,6 +40,21 @@ func TestEnterpriseMembers(t *testing.T) {
 		_, user := coderdtest.CreateAnotherUser(t, owner, secondOrg.ID)

 		ctx := testutil.Context(t, testutil.WaitMedium)
+
+		// Groups exist to ensure a user removed from the org loses their
+		// group access.
+		g1, err := orgAdminClient.CreateGroup(ctx, secondOrg.ID, codersdk.CreateGroupRequest{
+			Name:        "foo",
+			DisplayName: "Foo",
+		})
+		require.NoError(t, err)
+
+		g2, err := orgAdminClient.CreateGroup(ctx, secondOrg.ID, codersdk.CreateGroupRequest{
+			Name:        "bar",
+			DisplayName: "Bar",
+		})
+		require.NoError(t, err)
+
 		// Verify the org of 3 members
 		members, err := orgAdminClient.OrganizationMembers(ctx, secondOrg.ID)
 		require.NoError(t, err)
@@ -47,6 +63,25 @@ func TestEnterpriseMembers(t *testing.T) {
 			[]uuid.UUID{first.UserID, user.ID, orgAdmin.ID},
 			db2sdk.List(members, onlyIDs))

+		// Add the member to some groups
+		_, err = orgAdminClient.PatchGroup(ctx, g1.ID, codersdk.PatchGroupRequest{
+			AddUsers: []string{user.ID.String()},
+		})
+		require.NoError(t, err)
+
+		_, err = orgAdminClient.PatchGroup(ctx, g2.ID, codersdk.PatchGroupRequest{
+			AddUsers: []string{user.ID.String()},
+		})
+		require.NoError(t, err)
+
+		// Verify group membership
+		userGroups, err := orgAdminClient.Groups(ctx, codersdk.GroupArguments{
+			HasMember: user.ID.String(),
+		})
+		require.NoError(t, err)
+		// Everyone group + 2 groups
+		require.Len(t, userGroups, 3)
+
 		// Delete a member
 		err = orgAdminClient.DeleteOrganizationMember(ctx, secondOrg.ID, user.Username)
 		require.NoError(t, err)
@@ -57,6 +92,13 @@ func TestEnterpriseMembers(t *testing.T) {
 		require.ElementsMatch(t,
 			[]uuid.UUID{first.UserID, orgAdmin.ID},
 			db2sdk.List(members, onlyIDs))
+
+		// User should now belong to 0 groups
+		userGroups, err = orgAdminClient.Groups(ctx, codersdk.GroupArguments{
+			HasMember: user.ID.String(),
+		})
+		require.NoError(t, err)
+		require.Len(t, userGroups, 0)
 	})

 	t.Run("PostUser", func(t *testing.T) {