NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commita85a220

authored

chore: clean up built-in role permissions (#16645)

1 parenta376e8d commita85a220Copy full SHA for a85a220

File tree

4 files changed

+37

-32

lines changed

coderd/rbac
- roles.go
- roles_test.go
site/src/modules/management
- OrganizationSidebarView.tsx
- organizationPermissions.tsx

4 files changed

+37

-32

lines changed

`‎coderd/rbac/roles.go`

Lines changed: 16 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -283,10 +283,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`283`	`283`	`Permissions(map[string][]policy.Action{`
`284`	`284`	`// Reduced permission set on dormant workspaces. No build, ssh, or exec`
`285`	`285`	`ResourceWorkspaceDormant.Type: {policy.ActionRead,policy.ActionDelete,policy.ActionCreate,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`286`		`-`
`287`	`286`	`// Users cannot do create/update/delete on themselves, but they`
`288`	`287`	`// can read their own details.`
`289`	`288`	`ResourceUser.Type: {policy.ActionRead,policy.ActionReadPersonal,policy.ActionUpdatePersonal},`
	`289`	`+// Can read their own organization member record`
	`290`	`+ResourceOrganizationMember.Type: {policy.ActionRead},`
`290`	`291`	`// Users can create provisioner daemons scoped to themselves.`
`291`	`292`	`ResourceProvisionerDaemon.Type: {policy.ActionRead,policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},`
`292`	`293`	`})...,`
`@@ -423,12 +424,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`423`	`424`	`ResourceAssignOrgRole.Type: {policy.ActionRead},`
`424`	`425`	`}),`
`425`	`426`	`},`
`426`		`-User: []Permission{`
`427`		`-{`
`428`		`-ResourceType:ResourceOrganizationMember.Type,`
`429`		`-Action:policy.ActionRead,`
`430`		`-},`
`431`		`-},`
	`427`	`+User: []Permission{},`
`432`	`428`	`}`
`433`	`429`	`},`
`434`	`430`	`orgAuditor:func(organizationID uuid.UUID)Role {`
`@@ -439,6 +435,12 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`439`	`435`	`Org:map[string][]Permission{`
`440`	`436`	`organizationID.String():Permissions(map[string][]policy.Action{`
`441`	`437`	`ResourceAuditLog.Type: {policy.ActionRead},`
	`438`	`+// Allow auditors to see the resources that audit logs reflect.`
	`439`	`+ResourceTemplate.Type: {policy.ActionRead,policy.ActionViewInsights},`
	`440`	`+ResourceGroup.Type: {policy.ActionRead},`
	`441`	`+ResourceGroupMember.Type: {policy.ActionRead},`
	`442`	`+ResourceOrganization.Type: {policy.ActionRead},`
	`443`	`+ResourceOrganizationMember.Type: {policy.ActionRead},`
`442`	`444`	`}),`
`443`	`445`	`},`
`444`	`446`	`User: []Permission{},`
`@@ -458,6 +460,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`458`	`460`	`organizationID.String():Permissions(map[string][]policy.Action{`
`459`	`461`	`// Assign, remove, and read roles in the organization.`
`460`	`462`	`ResourceAssignOrgRole.Type: {policy.ActionAssign,policy.ActionDelete,policy.ActionRead},`
	`463`	`+ResourceOrganization.Type: {policy.ActionRead},`
`461`	`464`	`ResourceOrganizationMember.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`462`	`465`	`ResourceGroup.Type:ResourceGroup.AvailableActions(),`
`463`	`466`	`ResourceGroupMember.Type:ResourceGroupMember.AvailableActions(),`
`@@ -479,10 +482,15 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`479`	`482`	`ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},`
`480`	`483`	`ResourceWorkspace.Type: {policy.ActionRead},`
`481`	`484`	`// Assigning template perms requires this permission.`
	`485`	`+ResourceOrganization.Type: {policy.ActionRead},`
`482`	`486`	`ResourceOrganizationMember.Type: {policy.ActionRead},`
`483`	`487`	`ResourceGroup.Type: {policy.ActionRead},`
`484`	`488`	`ResourceGroupMember.Type: {policy.ActionRead},`
`485`		`-ResourceProvisionerJobs.Type: {policy.ActionRead},`
	`489`	`+// Since templates have to correlate with provisioners,`
	`490`	`+// the ability to create templates and provisioners has`
	`491`	`+// a lot of overlap.`
	`492`	`+ResourceProvisionerDaemon.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
	`493`	`+ResourceProvisionerJobs.Type: {policy.ActionRead},`
`486`	`494`	`}),`
`487`	`495`	`},`
`488`	`496`	`User: []Permission{},`

`‎coderd/rbac/roles_test.go`

Lines changed: 18 additions & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -217,20 +217,20 @@ func TestRolePermissions(t *testing.T) {`
`217`	`217`	`},`
`218`	`218`	`{`
`219`	`219`	`Name:"Templates",`
`220`		`-Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete,policy.ActionViewInsights},`
	`220`	`+Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},`
`221`	`221`	`Resource:rbac.ResourceTemplate.WithID(templateID).InOrg(orgID),`
`222`	`222`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`223`	`223`	`true: {owner,orgAdmin,templateAdmin,orgTemplateAdmin},`
`224`		`-false: {setOtherOrg,orgAuditor,orgUserAdmin,memberMe,orgMemberMe,userAdmin},`
	`224`	`+false: {setOtherOrg,orgUserAdmin,orgAuditor,memberMe,orgMemberMe,userAdmin},`
`225`	`225`	`},`
`226`	`226`	`},`
`227`	`227`	`{`
`228`	`228`	`Name:"ReadTemplates",`
`229`		`-Actions: []policy.Action{policy.ActionRead},`
	`229`	`+Actions: []policy.Action{policy.ActionRead,policy.ActionViewInsights},`
`230`	`230`	`Resource:rbac.ResourceTemplate.InOrg(orgID),`
`231`	`231`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`232`		`-true: {owner,orgAdmin,templateAdmin,orgTemplateAdmin},`
`233`		`-false: {setOtherOrg,orgAuditor,orgUserAdmin,memberMe,userAdmin,orgMemberMe},`
	`232`	`+true: {owner,orgAuditor,orgAdmin,templateAdmin,orgTemplateAdmin},`
	`233`	`+false: {setOtherOrg,orgUserAdmin,memberMe,userAdmin,orgMemberMe},`
`234`	`234`	`},`
`235`	`235`	`},`
`236`	`236`	`{`
`@@ -377,8 +377,8 @@ func TestRolePermissions(t *testing.T) {`
`377`	`377`	`Actions: []policy.Action{policy.ActionRead},`
`378`	`378`	`Resource:rbac.ResourceOrganizationMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),`
`379`	`379`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`380`		`-true: {owner,orgAdmin,userAdmin,orgMemberMe,templateAdmin,orgUserAdmin,orgTemplateAdmin},`
`381`		`-false: {memberMe,setOtherOrg,orgAuditor},`
	`380`	`+true: {owner,orgAuditor,orgAdmin,userAdmin,orgMemberMe,templateAdmin,orgUserAdmin,orgTemplateAdmin},`
	`381`	`+false: {memberMe,setOtherOrg},`
`382`	`382`	`},`
`383`	`383`	`},`
`384`	`384`	`{`
`@@ -404,7 +404,7 @@ func TestRolePermissions(t *testing.T) {`
`404`	`404`	`}),`
`405`	`405`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`406`	`406`	`true: {owner,orgAdmin,userAdmin,orgUserAdmin},`
`407`		`-false: {setOtherOrg,memberMe,orgMemberMe,templateAdmin,orgTemplateAdmin,orgAuditor,groupMemberMe},`
	`407`	`+false: {setOtherOrg,memberMe,orgMemberMe,templateAdmin,orgTemplateAdmin,groupMemberMe,orgAuditor},`
`408`	`408`	`},`
`409`	`409`	`},`
`410`	`410`	`{`
`@@ -416,26 +416,26 @@ func TestRolePermissions(t *testing.T) {`
`416`	`416`	`},`
`417`	`417`	`}),`
`418`	`418`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`419`		`-true: {owner,orgAdmin,userAdmin,templateAdmin,orgTemplateAdmin,orgUserAdmin,groupMemberMe},`
`420`		`-false: {setOtherOrg,memberMe,orgMemberMe,orgAuditor},`
	`419`	`+true: {owner,orgAdmin,userAdmin,templateAdmin,orgTemplateAdmin,orgUserAdmin,groupMemberMe,orgAuditor},`
	`420`	`+false: {setOtherOrg,memberMe,orgMemberMe},`
`421`	`421`	`},`
`422`	`422`	`},`
`423`	`423`	`{`
`424`	`424`	`Name:"GroupMemberMeRead",`
`425`	`425`	`Actions: []policy.Action{policy.ActionRead},`
`426`	`426`	`Resource:rbac.ResourceGroupMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),`
`427`	`427`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`428`		`-true: {owner,orgAdmin,userAdmin,templateAdmin,orgTemplateAdmin,orgUserAdmin,orgMemberMe,groupMemberMe},`
`429`		`-false: {setOtherOrg,memberMe,orgAuditor},`
	`428`	`+true: {owner,orgAuditor,orgAdmin,userAdmin,templateAdmin,orgTemplateAdmin,orgUserAdmin,orgMemberMe,groupMemberMe},`
	`429`	`+false: {setOtherOrg,memberMe},`
`430`	`430`	`},`
`431`	`431`	`},`
`432`	`432`	`{`
`433`	`433`	`Name:"GroupMemberOtherRead",`
`434`	`434`	`Actions: []policy.Action{policy.ActionRead},`
`435`	`435`	`Resource:rbac.ResourceGroupMember.WithID(adminID).InOrg(orgID).WithOwner(adminID.String()),`
`436`	`436`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`437`		`-true: {owner,orgAdmin,userAdmin,templateAdmin,orgTemplateAdmin,orgUserAdmin},`
`438`		`-false: {setOtherOrg,memberMe,orgAuditor,orgMemberMe,groupMemberMe},`
	`437`	`+true: {owner,orgAuditor,orgAdmin,userAdmin,templateAdmin,orgTemplateAdmin,orgUserAdmin},`
	`438`	`+false: {setOtherOrg,memberMe,orgMemberMe,groupMemberMe},`
`439`	`439`	`},`
`440`	`440`	`},`
`441`	`441`	`{`
`@@ -534,8 +534,8 @@ func TestRolePermissions(t *testing.T) {`
`534`	`534`	`Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},`
`535`	`535`	`Resource:rbac.ResourceProvisionerDaemon.InOrg(orgID),`
`536`	`536`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`537`		`-true: {owner,templateAdmin,orgAdmin},`
`538`		`-false: {setOtherOrg,orgTemplateAdmin,orgUserAdmin,memberMe,orgMemberMe,userAdmin,orgAuditor},`
	`537`	`+true: {owner,templateAdmin,orgAdmin,orgTemplateAdmin},`
	`538`	`+false: {setOtherOrg,orgAuditor,orgUserAdmin,memberMe,orgMemberMe,userAdmin},`
`539`	`539`	`},`
`540`	`540`	`},`
`541`	`541`	`{`
`@@ -552,8 +552,8 @@ func TestRolePermissions(t *testing.T) {`
`552`	`552`	`Actions: []policy.Action{policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},`
`553`	`553`	`Resource:rbac.ResourceProvisionerDaemon.WithOwner(currentUser.String()).InOrg(orgID),`
`554`	`554`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`555`		`-true: {owner,templateAdmin,orgMemberMe,orgAdmin},`
`556`		`-false: {setOtherOrg,memberMe,userAdmin,orgTemplateAdmin,orgUserAdmin,orgAuditor},`
	`555`	`+true: {owner,templateAdmin,orgTemplateAdmin,orgMemberMe,orgAdmin},`
	`556`	`+false: {setOtherOrg,memberMe,userAdmin,orgUserAdmin,orgAuditor},`
`557`	`557`	`},`
`558`	`558`	`},`
`559`	`559`	`{`

`‎site/src/modules/management/OrganizationSidebarView.tsx`

Lines changed: 3 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -167,11 +167,9 @@ const OrganizationSettingsNavigation: FC<`
`167`	`167`	`return(`
`168`	`168`	`<>`
`169`	`169`	`<divclassName="flex flex-col gap-1 my-2">`
`170`		`-{orgPermissions.viewMembers&&(`
`171`		`-<SettingsSidebarNavItemendhref={urlForSubpage(organization.name)}>`
`172`		`-Members`
`173`		`-</SettingsSidebarNavItem>`
`174`		`-)}`
	`170`	`+<SettingsSidebarNavItemendhref={urlForSubpage(organization.name)}>`
	`171`	`+Members`
	`172`	`+</SettingsSidebarNavItem>`
`175`	`173`	`{orgPermissions.viewGroups&&(`
`176`	`174`	`<SettingsSidebarNavItem`
`177`	`175`	`href={urlForSubpage(organization.name,"groups")}`

`‎site/src/modules/management/organizationPermissions.tsx`

Lines changed: 0 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,6 @@ export const canViewOrganization = (`
`114`	`114`	`permissions!==undefined&&`
`115`	`115`	`(permissions.viewMembers\|\|`
`116`	`116`	`permissions.viewGroups\|\|`
`117`		`-permissions.viewOrgRoles\|\|`
`118`	`117`	`permissions.viewProvisioners\|\|`
`119`	`118`	`permissions.viewIdpSyncSettings)`
`120`	`119`	`);`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita85a220

File tree

4 files changed

4 files changed

`‎coderd/rbac/roles.go`

`‎coderd/rbac/roles_test.go`

`‎site/src/modules/management/OrganizationSidebarView.tsx`

`‎site/src/modules/management/organizationPermissions.tsx`

0 commit comments