Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit77432a2

Browse files
committed
start adding an organization member permission level
1 parent669984c commit77432a2

File tree

8 files changed

+269
-119
lines changed

8 files changed

+269
-119
lines changed

‎coderd/apidoc/docs.go‎

Lines changed: 21 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json‎

Lines changed: 21 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/rbac/roles.go‎

Lines changed: 34 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -281,8 +281,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
281281
// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
282282
ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate,policy.ActionDelete},
283283
})...),
284-
Org:map[string][]Permission{},
285-
User: []Permission{},
284+
Org:map[string][]Permission{},
285+
User: []Permission{},
286+
OrgMember:map[string][]Permission{},
286287
}.withCachedRegoValue()
287288

288289
memberRole:=Role{
@@ -308,6 +309,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
308309
ResourceProvisionerDaemon.Type: {policy.ActionRead,policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},
309310
})...,
310311
),
312+
OrgMember:map[string][]Permission{},
311313
}.withCachedRegoValue()
312314

313315
auditorRole:=Role{
@@ -328,8 +330,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
328330
ResourceDeploymentStats.Type: {policy.ActionRead},
329331
ResourceDeploymentConfig.Type: {policy.ActionRead},
330332
}),
331-
Org:map[string][]Permission{},
332-
User: []Permission{},
333+
Org:map[string][]Permission{},
334+
User: []Permission{},
335+
OrgMember:map[string][]Permission{},
333336
}.withCachedRegoValue()
334337

335338
templateAdminRole:=Role{
@@ -351,8 +354,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
351354
ResourceOrganization.Type: {policy.ActionRead},
352355
ResourceOrganizationMember.Type: {policy.ActionRead},
353356
}),
354-
Org:map[string][]Permission{},
355-
User: []Permission{},
357+
Org:map[string][]Permission{},
358+
User: []Permission{},
359+
OrgMember:map[string][]Permission{},
356360
}.withCachedRegoValue()
357361

358362
userAdminRole:=Role{
@@ -375,8 +379,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
375379
// Manage org membership based on OIDC claims
376380
ResourceIdpsyncSettings.Type: {policy.ActionRead,policy.ActionUpdate},
377381
}),
378-
Org:map[string][]Permission{},
379-
User: []Permission{},
382+
Org:map[string][]Permission{},
383+
User: []Permission{},
384+
OrgMember:map[string][]Permission{},
380385
}.withCachedRegoValue()
381386

382387
builtInRoles=map[string]func(orgID uuid.UUID)Role{
@@ -427,7 +432,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
427432
ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate,policy.ActionDelete},
428433
})...),
429434
},
430-
User: []Permission{},
435+
User: []Permission{},
436+
OrgMember:map[string][]Permission{},
431437
}
432438
},
433439

@@ -448,7 +454,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
448454
ResourceAssignOrgRole.Type: {policy.ActionRead},
449455
}),
450456
},
451-
User: []Permission{},
457+
User: []Permission{},
458+
OrgMember:map[string][]Permission{},
452459
}
453460
},
454461
orgAuditor:func(organizationID uuid.UUID)Role {
@@ -468,7 +475,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
468475
ResourceOrganizationMember.Type: {policy.ActionRead},
469476
}),
470477
},
471-
User: []Permission{},
478+
User: []Permission{},
479+
OrgMember:map[string][]Permission{},
472480
}
473481
},
474482
orgUserAdmin:func(organizationID uuid.UUID)Role {
@@ -492,7 +500,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
492500
ResourceIdpsyncSettings.Type: {policy.ActionRead,policy.ActionUpdate},
493501
}),
494502
},
495-
User: []Permission{},
503+
User: []Permission{},
504+
OrgMember:map[string][]Permission{},
496505
}
497506
},
498507
orgTemplateAdmin:func(organizationID uuid.UUID)Role {
@@ -519,7 +528,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
519528
ResourceProvisionerJobs.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreate},
520529
}),
521530
},
522-
User: []Permission{},
531+
User: []Permission{},
532+
OrgMember:map[string][]Permission{},
523533
}
524534
},
525535
// orgWorkspaceCreationBan prevents creating & deleting workspaces. This
@@ -554,7 +564,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
554564
},
555565
},
556566
},
557-
User: []Permission{},
567+
User: []Permission{},
568+
OrgMember:map[string][]Permission{},
558569
}
559570
},
560571
}
@@ -665,9 +676,10 @@ func (perm Permission) Valid() error {
665676
}
666677

667678
// Role is a set of permissions at multiple levels:
668-
// - Site level permissions apply EVERYWHERE
669-
// - Org level permissions apply to EVERYTHING in a given ORG
670-
// - User level permissions are the lowest
679+
// - Site permissions apply EVERYWHERE
680+
// - Org permissions apply to EVERYTHING in a given ORG
681+
// - User permissions apply to all resources the user owns
682+
// - OrgMember permissions apply to resources in the given org that the user owns
671683
// This is the type passed into the rego as a json payload.
672684
// Users of this package should instead **only** use the role names, and
673685
// this package will expand the role names into their json payloads.
@@ -677,11 +689,13 @@ type Role struct {
677689
// that means the UI should never display it.
678690
DisplayNamestring`json:"display_name"`
679691
Site []Permission`json:"site"`
680-
// Org is a map of orgid to permissions. We represent orgid as a string.
681-
// We scope the organizations in the role so we can easily combine all the
682-
// roles.
692+
// Org is a map of organization IDs to permissions. Grouping by organization
693+
// makes roles easy to combine.
683694
Orgmap[string][]Permission`json:"org"`
684695
User []Permission`json:"user"`
696+
// OrgMember is a map of organization IDs to permissions. Grouping by
697+
// organization makes roles easy to combine.
698+
OrgMembermap[string][]Permission`json:"org_member"`
685699

686700
// cachedRegoValue can be used to cache the rego value for this role.
687701
// This is helpful for static roles that never change.

‎codersdk/roles.go‎

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,8 @@ type Role struct {
5959
// OrganizationPermissions are specific for the organization in the field 'OrganizationID' above.
6060
OrganizationPermissions []Permission`json:"organization_permissions" table:"organization permissions"`
6161
UserPermissions []Permission`json:"user_permissions" table:"user permissions"`
62+
// OrganizationMemberPermissions are specific for the organization in the field 'OrganizationID' above.
63+
OrganizationMemberPermissions []Permission`json:"organization_member_permissions" table:"organization member permissions"`
6264
}
6365

6466
// CustomRoleRequest is used to edit custom roles.
@@ -69,6 +71,8 @@ type CustomRoleRequest struct {
6971
// OrganizationPermissions are specific to the organization the role belongs to.
7072
OrganizationPermissions []Permission`json:"organization_permissions" table:"organization permissions"`
7173
UserPermissions []Permission`json:"user_permissions" table:"user permissions"`
74+
// OrganizationMemberPermissions are specific to the organization the role belongs to.
75+
OrganizationMemberPermissions []Permission`json:"organization_member_permissions" table:"organization member permissions"`
7276
}
7377

7478
// FullName returns the role name scoped to the organization ID. This is useful if
@@ -85,11 +89,12 @@ func (r Role) FullName() string {
8589
// CreateOrganizationRole will create a custom organization role
8690
func (c*Client)CreateOrganizationRole(ctx context.Context,roleRole) (Role,error) {
8791
req:=CustomRoleRequest{
88-
Name:role.Name,
89-
DisplayName:role.DisplayName,
90-
SitePermissions:role.SitePermissions,
91-
OrganizationPermissions:role.OrganizationPermissions,
92-
UserPermissions:role.UserPermissions,
92+
Name:role.Name,
93+
DisplayName:role.DisplayName,
94+
SitePermissions:role.SitePermissions,
95+
OrganizationPermissions:role.OrganizationPermissions,
96+
UserPermissions:role.UserPermissions,
97+
OrganizationMemberPermissions:role.OrganizationMemberPermissions,
9398
}
9499

95100
res,err:=c.Request(ctx,http.MethodPost,
@@ -108,11 +113,12 @@ func (c *Client) CreateOrganizationRole(ctx context.Context, role Role) (Role, e
108113
// UpdateOrganizationRole will update an existing custom organization role
109114
func (c*Client)UpdateOrganizationRole(ctx context.Context,roleRole) (Role,error) {
110115
req:=CustomRoleRequest{
111-
Name:role.Name,
112-
DisplayName:role.DisplayName,
113-
SitePermissions:role.SitePermissions,
114-
OrganizationPermissions:role.OrganizationPermissions,
115-
UserPermissions:role.UserPermissions,
116+
Name:role.Name,
117+
DisplayName:role.DisplayName,
118+
SitePermissions:role.SitePermissions,
119+
OrganizationPermissions:role.OrganizationPermissions,
120+
UserPermissions:role.UserPermissions,
121+
OrganizationMemberPermissions:role.OrganizationMemberPermissions,
116122
}
117123

118124
res,err:=c.Request(ctx,http.MethodPut,

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp