Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit8135c68

Browse files
committed
(probably terrible) vibes
1 parentc24d0dc commit8135c68

File tree

2 files changed

+58
-2
lines changed

2 files changed

+58
-2
lines changed

‎coderd/rbac/input.json‎

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,8 @@
2424
}
2525
],
2626
"org": {},
27-
"user": []
27+
"user": [],
28+
"org_member": {}
2829
}
2930
],
3031
"groups": ["b617a647-b5d0-4cbe-9e40-26f89710bf18"],
@@ -44,7 +45,8 @@
4445
{
4546
"type":"workspace",
4647
"id":"*"
47-
}]
48+
}
49+
]
4850
}
4951
}
5052
}

‎coderd/rbac/policy.rego‎

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -246,6 +246,41 @@ user_allow(roles) := num if {
246246
num:=number(allow)
247247
}
248248

249+
# -------------------
250+
# Organization Member Owner Rules
251+
# -------------------
252+
253+
# 'org_member_owner' combines org membership and ownership requirements.
254+
# These rules only apply if:
255+
# 1. The user is a member of the organization the resource belongs to
256+
# 2. The user is the owner of the resource
257+
defaultorg_member_owner:=0
258+
org_member_owner:=org_member_owner_allow(input.subject.roles)
259+
260+
defaultscope_org_member_owner:=0
261+
scope_org_member_owner:=org_member_owner_allow([input.subject.scope])
262+
263+
org_member_owner_allow(roles):= num if{
264+
# Must be the owner of the object
265+
input.object.owner!=""
266+
input.subject.id= input.object.owner
267+
268+
# Must be a member of the organization
269+
input.object.org_owner!=""
270+
input.object.org_owner inorg_members
271+
272+
allow:= {is_allowed|
273+
# Iterate over all org_member_owner permissions in all roles
274+
perm:= roles[_].org_member_owner[_]
275+
perm.action in[input.action,"*"]
276+
perm.resource_type in[input.object.type,"*"]
277+
278+
# is_allowed is either 'true' or 'false' if a matching permission exists.
279+
is_allowed:=bool_flip(perm.negate)
280+
}
281+
num:=number(allow)
282+
}
283+
249284
# Scope allow_list is a list of resource (Type, ID) tuples explicitly allowed by the scope.
250285
# If the list contains `(*,*)`, then all resources are allowed.
251286
scope_allow_list if{
@@ -304,6 +339,15 @@ role_allow if {
304339
user=1
305340
}
306341

342+
role_allow if{
343+
notsite=-1
344+
notorg=-1
345+
notuser=-1
346+
347+
# Organization member owner permissions require both ownership and org membership
348+
org_member_owner=1
349+
}
350+
307351
# -------------------
308352
# Scope-Specific Rules
309353
# -------------------
@@ -330,6 +374,16 @@ scope_allow if {
330374
scope_user=1
331375
}
332376

377+
scope_allow if{
378+
scope_allow_list
379+
notscope_site=-1
380+
notscope_org=-1
381+
notscope_user=-1
382+
383+
# Organization member owner permissions require both ownership and org membership
384+
scope_org_member_owner=1
385+
}
386+
333387
# -------------------
334388
# ACL-Specific Rules
335389
# Access Control List

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp