Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit19a26b3

Browse files
committed
chore: clean up built-in role permissions
1 parent9f5ad23 commit19a26b3

File tree

3 files changed

+15
-13
lines changed

3 files changed

+15
-13
lines changed

‎coderd/rbac/roles.go

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -283,10 +283,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
283283
Permissions(map[string][]policy.Action{
284284
// Reduced permission set on dormant workspaces. No build, ssh, or exec
285285
ResourceWorkspaceDormant.Type: {policy.ActionRead,policy.ActionDelete,policy.ActionCreate,policy.ActionUpdate,policy.ActionWorkspaceStop},
286-
287286
// Users cannot do create/update/delete on themselves, but they
288287
// can read their own details.
289288
ResourceUser.Type: {policy.ActionRead,policy.ActionReadPersonal,policy.ActionUpdatePersonal},
289+
// Can read their own organization member record
290+
ResourceOrganizationMember.Type: {policy.ActionRead},
290291
// Users can create provisioner daemons scoped to themselves.
291292
ResourceProvisionerDaemon.Type: {policy.ActionRead,policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},
292293
})...,
@@ -423,12 +424,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
423424
ResourceAssignOrgRole.Type: {policy.ActionRead},
424425
}),
425426
},
426-
User: []Permission{
427-
{
428-
ResourceType:ResourceOrganizationMember.Type,
429-
Action:policy.ActionRead,
430-
},
431-
},
427+
User: []Permission{},
432428
}
433429
},
434430
orgAuditor:func(organizationID uuid.UUID)Role {
@@ -439,6 +435,12 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
439435
Org:map[string][]Permission{
440436
organizationID.String():Permissions(map[string][]policy.Action{
441437
ResourceAuditLog.Type: {policy.ActionRead},
438+
// Allow auditors to see the resources that audit logs reflect.
439+
ResourceTemplate.Type: {policy.ActionRead,policy.ActionViewInsights},
440+
ResourceGroup.Type: {policy.ActionRead},
441+
ResourceGroupMember.Type: {policy.ActionRead},
442+
ResourceOrganization.Type: {policy.ActionRead},
443+
ResourceOrganizationMember.Type: {policy.ActionRead},
442444
}),
443445
},
444446
User: []Permission{},
@@ -458,6 +460,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
458460
organizationID.String():Permissions(map[string][]policy.Action{
459461
// Assign, remove, and read roles in the organization.
460462
ResourceAssignOrgRole.Type: {policy.ActionAssign,policy.ActionDelete,policy.ActionRead},
463+
ResourceOrganization.Type: {policy.ActionRead},
461464
ResourceOrganizationMember.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
462465
ResourceGroup.Type:ResourceGroup.AvailableActions(),
463466
ResourceGroupMember.Type:ResourceGroupMember.AvailableActions(),
@@ -479,9 +482,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
479482
ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},
480483
ResourceWorkspace.Type: {policy.ActionRead},
481484
// Assigning template perms requires this permission.
485+
ResourceOrganization.Type: {policy.ActionRead},
482486
ResourceOrganizationMember.Type: {policy.ActionRead},
483487
ResourceGroup.Type: {policy.ActionRead},
484488
ResourceGroupMember.Type: {policy.ActionRead},
489+
ResourceProvisionerDaemon.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
485490
ResourceProvisionerJobs.Type: {policy.ActionRead},
486491
}),
487492
},

‎site/src/modules/management/OrganizationSidebarView.tsx

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -167,11 +167,9 @@ const OrganizationSettingsNavigation: FC<
167167
return(
168168
<>
169169
<divclassName="flex flex-col gap-1 my-2">
170-
{orgPermissions.viewMembers&&(
171-
<SettingsSidebarNavItemendhref={urlForSubpage(organization.name)}>
172-
Members
173-
</SettingsSidebarNavItem>
174-
)}
170+
<SettingsSidebarNavItemendhref={urlForSubpage(organization.name)}>
171+
Members
172+
</SettingsSidebarNavItem>
175173
{orgPermissions.viewGroups&&(
176174
<SettingsSidebarNavItem
177175
href={urlForSubpage(organization.name,"groups")}

‎site/src/modules/management/organizationPermissions.tsx

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,6 @@ export const canViewOrganization = (
114114
permissions!==undefined&&
115115
(permissions.viewMembers||
116116
permissions.viewGroups||
117-
permissions.viewOrgRoles||
118117
permissions.viewProvisioners||
119118
permissions.viewIdpSyncSettings)
120119
);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp