From 6c7f267a0785d46d2b92273a1c6c37cc8f3ecf7e Mon Sep 17 00:00:00 2001 From: Brian Dwyer Date: Wed, 13 Jul 2022 15:59:16 -0400 Subject: [PATCH] Allow org admins to associate users to an org Signed-off-by: Brian Dwyer --- .../apps/oc_chef_wm/src/oc_chef_wm_org_associations.erl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_org_associations.erl b/src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_org_associations.erl index 00fff1b12d..5dae248a9f 100644 --- a/src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_org_associations.erl +++ b/src/oc_erchef/apps/oc_chef_wm/src/oc_chef_wm_org_associations.erl @@ -118,13 +118,13 @@ auth_info(Req, #base_state{requestor_id = RequestorAuthzId, organization_authz_id = OrgAuthzId, resource_state = #association_state{user = User} } = State) -> case wrq:method(Req) of - 'POST' -> - % Only the superuser can force-create an org-user association - {superuser_only, Req, State}; Method -> {auth_type_for_method(Method, User, OrgAuthzId, RequestorAuthzId), Req, State} end. +auth_type_for_method('POST', #chef_user{authz_id = UserAuthzId }, OrgAuthzId, _RequestorAuthzId) -> + [{object, OrgAuthzId, update}, {actor, UserAuthzId, update}]; + auth_type_for_method('DELETE', #chef_user{ authz_id = UserAuthzId }, _OrgAuthzId, UserAuthzId) -> %% permissions-wise, user can always disassociate his or her own org association %% though we'll have additional safety checks below as well.