Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit8e4cc6a

Browse files
committed
:^)
1 parenta682db1 commit8e4cc6a

File tree

2 files changed

+12
-10
lines changed

2 files changed

+12
-10
lines changed

‎coderd/database/dbauthz/dbauthz.go‎

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -395,7 +395,9 @@ var (
395395
User:rbac.Permissions(map[string][]policy.Action{
396396
rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreateAgent,policy.ActionDeleteAgent},
397397
}),
398-
ByOrgID:map[string]rbac.OrgPermissions{},
398+
ByOrgID:map[string]rbac.OrgPermissions{
399+
orgID.String(): {},
400+
},
399401
},
400402
}),
401403
Scope:rbac.ScopeAll,

‎coderd/rbac/policy.rego‎

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -114,16 +114,16 @@ site_allow(roles) := num if {
114114
# Adding a second org_members set might affect the partial evaluation.
115115
# This is being left until org scopes are used.
116116
org_members:= {orgID|
117-
input.subject.roles[_].org[orgID]
117+
input.subject.roles[_].by_org_id[orgID]
118118
}
119119

120120
# 'org' is the same as 'site' except we need to iterate over each organization
121121
# that the actor is a member of.
122122
defaultorg:=0
123-
org:=org_allow(input.subject.roles)
123+
org:=org_allow(input.subject.roles,"org")
124124

125125
defaultscope_org:=0
126-
scope_org:=org_allow([input.subject.scope])
126+
scope_org:=org_allow([input.subject.scope],"org")
127127

128128
# org_allow_set is a helper function that iterates over all orgs that the actor
129129
# is a member of. For each organization it sets the numerical allow value
@@ -135,12 +135,12 @@ scope_org := org_allow([input.subject.scope])
135135
# The reason we calculate this for all orgs, and not just the input.object.org_owner
136136
# is that sometimes the input.object.org_owner is unknown. In those cases
137137
# we have a list of org_ids that can we use in a SQL 'WHERE' clause.
138-
org_allow_set(roles):= allow_set if{
138+
org_allow_set(roles, key):= allow_set if{
139139
allow_set:= {id: num|
140140
id:= org_members[_]
141141
set:= {is_allowed|
142142
# Iterate over all org permissions in all roles
143-
perm:= roles[_].org[id][_]
143+
perm:= roles[_].by_org_id[id][key][_]
144144
perm.action in[input.action,"*"]
145145
perm.resource_type in[input.object.type,"*"]
146146

@@ -151,11 +151,11 @@ org_allow_set(roles) := allow_set if {
151151
}
152152
}
153153

154-
org_allow(roles):= num if{
154+
org_allow(roles, key):= num if{
155155
# If the object has "any_org" set to true, then use the other
156156
# org_allow block.
157157
notinput.object.any_org
158-
allow:=org_allow_set(roles)
158+
allow:=org_allow_set(roles, key)
159159

160160
# Return only the org value of the input's org.
161161
# The reason why we do not do this up front, is that we need to make sure
@@ -171,9 +171,9 @@ org_allow(roles) := num if {
171171
# This is useful for UI elements when we want to conclude, "Can the user create
172172
# a new template in any organization?"
173173
# It is easier than iterating over every organization the user is apart of.
174-
org_allow(roles):= num if{
174+
org_allow(roles, key):= num if{
175175
input.object.any_org# if this is false, this code block is not used
176-
allow:=org_allow_set(roles)
176+
allow:=org_allow_set(roles, key)
177177

178178
# allow is a map of {"<org_id>": <number>}. We only care about values
179179
# that are 1, and ignore the rest.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp