Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb0e8280

Browse files
johnstcnEmyrk
andauthored
Apply suggestions from code review
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
1 parent87806dc commitb0e8280

File tree

1 file changed

+7
-9
lines changed

1 file changed

+7
-9
lines changed

‎coderd/rbac/USAGE.md

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ These can be found in `coderd/rbac/roles.go`.
3131
|**orgUserAdmin**| Like**userAdmin**, but scoped to a single organization|_(org-level equivalent)_|
3232
|**orgTemplateAdmin**| Like**templateAdmin**, but scoped to a single organization|_(org-level equivalent)_|
3333

34+
**Note an example resource indicates the role has at least 1 permission related to the resource. Not that the role has complete CRUD access to the resource.**
35+
3436
_\* except some, which are not important to this overview_
3537

3638
##Actions
@@ -135,7 +137,7 @@ In our case, we want **members** to be able to CRUD their own frobulators and we
135137
want**owners** to CRUD all members' frobulators. This is how most resources
136138
work, and the RBAC system is setup for this by default.
137139

138-
However, let's say we want**auditors** to have read-only access to allmembers'
140+
However, let's say we want**organizationauditors** to have read-only access to allorganization's
139141
frobulators; we need to add it to`coderd/rbac/roles.go`:
140142

141143
```go
@@ -208,7 +210,7 @@ func TestRolePermissions(t *testing.T) {
208210
...
209211
{
210212
// Users should be able to modify their own frobulators
211-
// Admins from the current organization should be able to modify any otheruser's frobulators
213+
// Admins from the current organization should be able to modify any othermembers' frobulators
212214
// Owner should be able to modify any other user's frobulators
213215
Name:"FrobulatorsModify",
214216
Actions: []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
@@ -220,8 +222,8 @@ func TestRolePermissions(t *testing.T) {
220222
},
221223
{
222224
// Users should be able to read their own frobulators
223-
// Admins from the current organization should be able to read any otheruser's frobulators
224-
// Auditors should be able to read any otheruser's frobulators
225+
// Admins from the current organization should be able to read any othermembers' frobulators
226+
// Auditors should be able to read any othermembers' frobulators
225227
// Owner should be able to read any other user's frobulators
226228
Name:"FrobulatorsReadOnly",
227229
Actions: []policy.Action{policy.ActionRead},
@@ -299,13 +301,9 @@ Let's modify this function:
299301
```go
300302
...
301303
func (q *querier) GetUserFrobulators(ctx context.Context, userID uuid.UUID) ([]database.Frobulator, error) {
302-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceFrobulator.WithOwner(userID.String())); err != nil {
303-
return nil, err
304-
}
305-
return q.db.GetUserFrobulators(ctx, userID)
304+
return fetch(q.log, q.auth, q.db.GetUserFrobulators)(ctx, id)
306305
}
307306
...
308-
```
309307
310308
This states that the`policy.ActionRead` permission is required in this query on
311309
the`ResourceFrobulator` resources, and`WithOwner(userID.String())` specifies

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp