NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commitbf5b002

authored

fix: add org role read permissions to site wide template admins and auditors (#16733)

resolvescoder/internal#388Since site-wide admins and auditors are able to access the members pageof any org, they should have read access to org roles

1 parent464fccd commitbf5b002Copy full SHA for bf5b002

File tree

2 files changed

-4

lines changed

coderd/rbac
- roles.go
- roles_test.go

2 files changed

-4

lines changed

`‎coderd/rbac/roles.go`

Lines changed: 4 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -307,7 +307,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`307`	`307`	`Identifier:RoleAuditor(),`
`308`	`308`	`DisplayName:"Auditor",`
`309`	`309`	`Site:Permissions(map[string][]policy.Action{`
`310`		`-ResourceAuditLog.Type: {policy.ActionRead},`
	`310`	`+ResourceAssignOrgRole.Type: {policy.ActionRead},`
	`311`	`+ResourceAuditLog.Type: {policy.ActionRead},`
`311`	`312`	`// Allow auditors to see the resources that audit logs reflect.`
`312`	`313`	`ResourceTemplate.Type: {policy.ActionRead,policy.ActionViewInsights},`
`313`	`314`	`ResourceUser.Type: {policy.ActionRead},`
`@@ -327,7 +328,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`327`	`328`	`Identifier:RoleTemplateAdmin(),`
`328`	`329`	`DisplayName:"Template Admin",`
`329`	`330`	`Site:Permissions(map[string][]policy.Action{`
`330`		`-ResourceTemplate.Type:ResourceTemplate.AvailableActions(),`
	`331`	`+ResourceAssignOrgRole.Type: {policy.ActionRead},`
	`332`	`+ResourceTemplate.Type:ResourceTemplate.AvailableActions(),`
`331`	`333`	`// CRUD all files, even those they did not upload.`
`332`	`334`	`ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},`
`333`	`335`	`ResourceWorkspace.Type: {policy.ActionRead},`

`‎coderd/rbac/roles_test.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -352,8 +352,8 @@ func TestRolePermissions(t *testing.T) {`
`352`	`352`	`Actions: []policy.Action{policy.ActionRead},`
`353`	`353`	`Resource:rbac.ResourceAssignOrgRole.InOrg(orgID),`
`354`	`354`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`355`		`-true: {owner,setOrgNotMe,orgMemberMe,userAdmin},`
`356`		`-false: {setOtherOrg,memberMe,templateAdmin},`
	`355`	`+true: {owner,setOrgNotMe,orgMemberMe,userAdmin,templateAdmin},`
	`356`	`+false: {setOtherOrg,memberMe},`
`357`	`357`	`},`
`358`	`358`	`},`
`359`	`359`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbf5b002

File tree

2 files changed

2 files changed

`‎coderd/rbac/roles.go`

`‎coderd/rbac/roles_test.go`

0 commit comments