Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit49d6d0f

Browse files
authored
chore: add built in organization roles to match site (#13938)
* chore: add built in organization roles to match siteAdded org user admin, org template admin, and org auditor
1 parent8beb0b1 commit49d6d0f

File tree

7 files changed

+300
-145
lines changed

7 files changed

+300
-145
lines changed

‎coderd/authorize_test.go‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ func TestCheckPermissions(t *testing.T) {
103103
Client:orgAdminClient,
104104
UserID:orgAdminUser.ID,
105105
Check:map[string]bool{
106-
readAllUsers:false,
106+
readAllUsers:true,
107107
readMyself:true,
108108
readOwnWorkspaces:true,
109109
readOrgWorkspaces:true,

‎coderd/members_test.go‎

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -33,20 +33,23 @@ func TestAddMember(t *testing.T) {
3333
// Make a user not in the second organization
3434
_,user:=coderdtest.CreateAnotherUser(t,owner,first.OrganizationID)
3535

36-
members,err:=owner.OrganizationMembers(ctx,org.ID)
36+
// Use scoped user admin in org to add the user
37+
client,userAdmin:=coderdtest.CreateAnotherUser(t,owner,org.ID,rbac.ScopedRoleOrgUserAdmin(org.ID))
38+
39+
members,err:=client.OrganizationMembers(ctx,org.ID)
3740
require.NoError(t,err)
38-
require.Len(t,members,1)// Verifyjustthe1 member
41+
require.Len(t,members,2)// Verify the2 members at the start
3942

4043
// Add user to org
41-
_,err=owner.PostOrganizationMember(ctx,org.ID,user.Username)
44+
_,err=client.PostOrganizationMember(ctx,org.ID,user.Username)
4245
require.NoError(t,err)
4346

44-
members,err=owner.OrganizationMembers(ctx,org.ID)
47+
members,err=client.OrganizationMembers(ctx,org.ID)
4548
require.NoError(t,err)
46-
// Owner + new member
47-
require.Len(t,members,2)
49+
// Owner +user admin +new member
50+
require.Len(t,members,3)
4851
require.ElementsMatch(t,
49-
[]uuid.UUID{first.UserID,user.ID},
52+
[]uuid.UUID{first.UserID,user.ID,userAdmin.ID},
5053
db2sdk.List(members,onlyIDs))
5154
})
5255

‎coderd/rbac/roles.go‎

Lines changed: 102 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,11 @@ const (
2727
customSiteRolestring="custom-site-role"
2828
customOrganizationRolestring="custom-organization-role"
2929

30-
orgAdminstring="organization-admin"
31-
orgMemberstring="organization-member"
30+
orgAdminstring="organization-admin"
31+
orgMemberstring="organization-member"
32+
orgAuditorstring="organization-auditor"
33+
orgUserAdminstring="organization-user-admin"
34+
orgTemplateAdminstring="organization-template-admin"
3235
)
3336

3437
funcinit() {
@@ -144,18 +147,38 @@ func RoleOrgMember() string {
144147
returnorgMember
145148
}
146149

150+
funcRoleOrgAuditor()string {
151+
returnorgAuditor
152+
}
153+
154+
funcRoleOrgUserAdmin()string {
155+
returnorgUserAdmin
156+
}
157+
158+
funcRoleOrgTemplateAdmin()string {
159+
returnorgTemplateAdmin
160+
}
161+
147162
// ScopedRoleOrgAdmin is the org role with the organization ID
148-
// Deprecated This was used before organization scope was included as a
149-
// field in all user facing APIs. Usage of 'ScopedRoleOrgAdmin()' is preferred.
150163
funcScopedRoleOrgAdmin(organizationID uuid.UUID)RoleIdentifier {
151-
returnRoleIdentifier{Name:orgAdmin,OrganizationID:organizationID}
164+
returnRoleIdentifier{Name:RoleOrgAdmin(),OrganizationID:organizationID}
152165
}
153166

154167
// ScopedRoleOrgMember is the org role with the organization ID
155-
// Deprecated This was used before organization scope was included as a
156-
// field in all user facing APIs. Usage of 'ScopedRoleOrgMember()' is preferred.
157168
funcScopedRoleOrgMember(organizationID uuid.UUID)RoleIdentifier {
158-
returnRoleIdentifier{Name:orgMember,OrganizationID:organizationID}
169+
returnRoleIdentifier{Name:RoleOrgMember(),OrganizationID:organizationID}
170+
}
171+
172+
funcScopedRoleOrgAuditor(organizationID uuid.UUID)RoleIdentifier {
173+
returnRoleIdentifier{Name:RoleOrgAuditor(),OrganizationID:organizationID}
174+
}
175+
176+
funcScopedRoleOrgUserAdmin(organizationID uuid.UUID)RoleIdentifier {
177+
returnRoleIdentifier{Name:RoleOrgUserAdmin(),OrganizationID:organizationID}
178+
}
179+
180+
funcScopedRoleOrgTemplateAdmin(organizationID uuid.UUID)RoleIdentifier {
181+
returnRoleIdentifier{Name:RoleOrgTemplateAdmin(),OrganizationID:organizationID}
159182
}
160183

161184
funcallPermsExcept(excepts...Objecter) []Permission {
@@ -365,7 +388,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
365388
returnRole{
366389
Identifier:RoleIdentifier{Name:orgAdmin,OrganizationID:organizationID},
367390
DisplayName:"Organization Admin",
368-
Site: []Permission{},
391+
Site:Permissions(map[string][]policy.Action{
392+
// To assign organization members, we need to be able to read
393+
// users at the site wide to know they exist.
394+
ResourceUser.Type: {policy.ActionRead},
395+
}),
369396
Org:map[string][]Permission{
370397
// Org admins should not have workspace exec perms.
371398
organizationID.String():append(allPermsExcept(ResourceWorkspace,ResourceWorkspaceDormant,ResourceAssignRole),Permissions(map[string][]policy.Action{
@@ -377,8 +404,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
377404
}
378405
},
379406

380-
// orgMember has an empty set of permissions, this just implies their membership
381-
// in an organization.
407+
// orgMember is an implied role to any member in an organization.
382408
orgMember:func(organizationID uuid.UUID)Role {
383409
returnRole{
384410
Identifier:RoleIdentifier{Name:orgMember,OrganizationID:organizationID},
@@ -406,6 +432,59 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
406432
},
407433
}
408434
},
435+
orgAuditor:func(organizationID uuid.UUID)Role {
436+
returnRole{
437+
Identifier:RoleIdentifier{Name:orgAuditor,OrganizationID:organizationID},
438+
DisplayName:"Organization Auditor",
439+
Site: []Permission{},
440+
Org:map[string][]Permission{
441+
organizationID.String():Permissions(map[string][]policy.Action{
442+
ResourceAuditLog.Type: {policy.ActionRead},
443+
}),
444+
},
445+
User: []Permission{},
446+
}
447+
},
448+
orgUserAdmin:func(organizationID uuid.UUID)Role {
449+
// Manages organization members and groups.
450+
returnRole{
451+
Identifier:RoleIdentifier{Name:orgUserAdmin,OrganizationID:organizationID},
452+
DisplayName:"Organization User Admin",
453+
Site:Permissions(map[string][]policy.Action{
454+
// To assign organization members, we need to be able to read
455+
// users at the site wide to know they exist.
456+
ResourceUser.Type: {policy.ActionRead},
457+
}),
458+
Org:map[string][]Permission{
459+
organizationID.String():Permissions(map[string][]policy.Action{
460+
// Assign, remove, and read roles in the organization.
461+
ResourceAssignOrgRole.Type: {policy.ActionAssign,policy.ActionDelete,policy.ActionRead},
462+
ResourceOrganizationMember.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
463+
ResourceGroup.Type:ResourceGroup.AvailableActions(),
464+
}),
465+
},
466+
User: []Permission{},
467+
}
468+
},
469+
orgTemplateAdmin:func(organizationID uuid.UUID)Role {
470+
// Manages organization members and groups.
471+
returnRole{
472+
Identifier:RoleIdentifier{Name:orgTemplateAdmin,OrganizationID:organizationID},
473+
DisplayName:"Organization Template Admin",
474+
Site: []Permission{},
475+
Org:map[string][]Permission{
476+
organizationID.String():Permissions(map[string][]policy.Action{
477+
ResourceTemplate.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete,policy.ActionViewInsights},
478+
ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},
479+
ResourceWorkspace.Type: {policy.ActionRead},
480+
// Assigning template perms requires this permission.
481+
ResourceOrganizationMember.Type: {policy.ActionRead},
482+
ResourceGroup.Type: {policy.ActionRead},
483+
}),
484+
},
485+
User: []Permission{},
486+
}
487+
},
409488
}
410489
}
411490

@@ -421,6 +500,9 @@ var assignRoles = map[string]map[string]bool{
421500
member:true,
422501
orgAdmin:true,
423502
orgMember:true,
503+
orgAuditor:true,
504+
orgUserAdmin:true,
505+
orgTemplateAdmin:true,
424506
templateAdmin:true,
425507
userAdmin:true,
426508
customSiteRole:true,
@@ -432,6 +514,9 @@ var assignRoles = map[string]map[string]bool{
432514
member:true,
433515
orgAdmin:true,
434516
orgMember:true,
517+
orgAuditor:true,
518+
orgUserAdmin:true,
519+
orgTemplateAdmin:true,
435520
templateAdmin:true,
436521
userAdmin:true,
437522
customSiteRole:true,
@@ -444,8 +529,14 @@ var assignRoles = map[string]map[string]bool{
444529
orgAdmin: {
445530
orgAdmin:true,
446531
orgMember:true,
532+
orgAuditor:true,
533+
orgUserAdmin:true,
534+
orgTemplateAdmin:true,
447535
customOrganizationRole:true,
448536
},
537+
orgUserAdmin: {
538+
orgMember:true,
539+
},
449540
}
450541

451542
// ExpandableRoles is any type that can be expanded into a []Role. This is implemented

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp