NotificationsYou must be signed in to change notification settings
Fork924
Star10.1k

Commitafc5359

committed

fix: explicitly set prebuild_workspace permissions

1 parent6cae769 commitafc5359Copy full SHA for afc5359

File tree

3 files changed

+15

-4

lines changed

coderd
- database/dbauthz
  - dbauthz.go
- rbac
  - roles.go
  - roles_test.go

3 files changed

+15

-4

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -412,6 +412,9 @@ var (`
`412`	`412`	`policy.ActionCreate,policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,`
`413`	`413`	`policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,`
`414`	`414`	`},`
	`415`	`+// PrebuiltWorkspaces are a subset of Workspaces.`
	`416`	`+// Explicitly setting PrebuiltWorkspace permissions for clarity.`
	`417`	`+// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.`
`415`	`418`	`rbac.ResourcePrebuiltWorkspace.Type: {`
`416`	`419`	`policy.ActionRead,policy.ActionUpdate,policy.ActionDelete,`
`417`	`420`	`},`

`‎coderd/rbac/roles.go`

Lines changed: 10 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -270,11 +270,15 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`270`	`270`	`Site:append(`
`271`	`271`	`// Workspace dormancy and workspace are omitted.`
`272`	`272`	`// Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec`
`273`		`-allPermsExcept(ResourceWorkspaceDormant,ResourceWorkspace),`
	`273`	`+allPermsExcept(ResourceWorkspaceDormant,ResourcePrebuiltWorkspace,ResourceWorkspace),`
`274`	`274`	`// This adds back in the Workspace permissions.`
`275`	`275`	`Permissions(map[string][]policy.Action{`
`276`	`276`	`ResourceWorkspace.Type:ownerWorkspaceActions,`
`277`	`277`	`ResourceWorkspaceDormant.Type: {policy.ActionRead,policy.ActionDelete,policy.ActionCreate,policy.ActionUpdate,policy.ActionWorkspaceStop,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
	`278`	`+// PrebuiltWorkspaces are a subset of Workspaces.`
	`279`	`+// Explicitly setting PrebuiltWorkspace permissions for clarity.`
	`280`	`+// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.`
	`281`	`+ResourcePrebuiltWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`278`	`282`	`})...),`
`279`	`283`	`Org:map[string][]Permission{},`
`280`	`284`	`User: []Permission{},`
`@@ -290,7 +294,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`290`	`294`	`ResourceWorkspaceProxy.Type: {policy.ActionRead},`
`291`	`295`	`}),`
`292`	`296`	`Org:map[string][]Permission{},`
`293`		`-User:append(allPermsExcept(ResourceWorkspaceDormant,ResourceUser,ResourceOrganizationMember),`
	`297`	`+User:append(allPermsExcept(ResourceWorkspaceDormant,ResourcePrebuiltWorkspace,ResourceUser,ResourceOrganizationMember),`
`294`	`298`	`Permissions(map[string][]policy.Action{`
`295`	`299`	`// Reduced permission set on dormant workspaces. No build, ssh, or exec`
`296`	`300`	`ResourceWorkspaceDormant.Type: {policy.ActionRead,policy.ActionDelete,policy.ActionCreate,policy.ActionUpdate,policy.ActionWorkspaceStop,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`@@ -417,6 +421,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`417`	`421`	`organizationID.String():append(allPermsExcept(ResourceWorkspace,ResourceWorkspaceDormant,ResourcePrebuiltWorkspace,ResourceAssignRole),Permissions(map[string][]policy.Action{`
`418`	`422`	`ResourceWorkspaceDormant.Type: {policy.ActionRead,policy.ActionDelete,policy.ActionCreate,policy.ActionUpdate,policy.ActionWorkspaceStop,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`419`	`423`	`ResourceWorkspace.Type:slice.Omit(ResourceWorkspace.AvailableActions(),policy.ActionApplicationConnect,policy.ActionSSH),`
	`424`	`+// PrebuiltWorkspaces are a subset of Workspaces.`
	`425`	`+// Explicitly setting PrebuiltWorkspace permissions for clarity.`
	`426`	`+// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.`
	`427`	`+ResourcePrebuiltWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`420`	`428`	`})...),`
`421`	`429`	`},`
`422`	`430`	`User: []Permission{},`

`‎coderd/rbac/roles_test.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -501,8 +501,8 @@ func TestRolePermissions(t *testing.T) {`
`501`	`501`	`Actions: []policy.Action{policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`502`	`502`	`Resource:rbac.ResourcePrebuiltWorkspace.WithID(uuid.New()).InOrg(orgID).WithOwner(memberMe.Actor.ID),`
`503`	`503`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`504`		`-true: {owner,orgMemberMe,templateAdmin,orgTemplateAdmin},`
`505`		`-false: {setOtherOrg,userAdmin,memberMe,orgAdmin,orgUserAdmin,orgAuditor},`
	`504`	`+true: {owner,orgAdmin,templateAdmin,orgTemplateAdmin},`
	`505`	`+false: {setOtherOrg,userAdmin,memberMe,orgUserAdmin,orgAuditor,orgMemberMe},`
`506`	`506`	`},`
`507`	`507`	`},`
`508`	`508`	`// Some admin style resources`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitafc5359

File tree

3 files changed

3 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/rbac/roles.go`

`‎coderd/rbac/roles_test.go`

0 commit comments