Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add organization-scoped permission checks to deployment settings#14063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
code-asher merged 20 commits intomainfromasher/org-permissions
Aug 6, 2024
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
Show all changes
20 commits
Select commitHold shift + click to select a range
07abd01
s/readAllUsers/viewAllUsers
code-asherJul 30, 2024
bd52bec
Check license for organizations
code-asherJul 30, 2024
2779677
Allow any auditor to view the audit log
code-asherJul 30, 2024
e0a933e
Scope create group button to organizations
code-asherJul 30, 2024
6dba321
Use fine-grained permissions on settings page
code-asherJul 31, 2024
69c50ec
Dedupe disable org permission query
code-asherJul 31, 2024
2a8c38b
Fix edit org member check
code-asherJul 31, 2024
9fdd425
Show better message when unable to edit anything in an org
code-asherJul 31, 2024
8760d0b
Update org member tests
code-asherJul 31, 2024
5ad80b9
Add stories for organization members page
code-asherJul 31, 2024
a370037
Add stories for multi-org sidebar
code-asherAug 1, 2024
a3698d8
Remove multi-org check from management settings layout
code-asherAug 1, 2024
185f2c0
Check for license permission
code-asherAug 1, 2024
d7afcfc
Add more stories for deployment dropdown
code-asherAug 1, 2024
12e5a42
Throw error if no default org
code-asherAug 5, 2024
4a7c9d9
Merge branch 'main' into asher/org-permissions
code-asherAug 5, 2024
55a2d47
Use default org ID in old pages
code-asherAug 5, 2024
e58b032
Remove org permission-based redirects
code-asherAug 5, 2024
0b4b00b
Use old permission for old pages
code-asherAug 6, 2024
5a547fc
Show ineditable form without org edit perm
code-asherAug 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletionssite/src/api/queries/organizations.ts
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -120,3 +120,64 @@ export const provisionerDaemons = (organization: string) => {
queryFn: () => API.getProvisionerDaemonsByOrganization(organization),
};
};

/**
* Fetch permissions for a single organization.
*
* If the ID is undefined, return a disabled query.
*/
export const organizationPermissions = (organizationId: string | undefined) => {
if (!organizationId) {
return { enabled: false };
}
return {
queryKey: ["organization", organizationId, "permissions"],
queryFn: () =>
API.checkAuthorization({
checks: {
viewMembers: {
object: {
resource_type: "organization_member",
organization_id: organizationId,
},
action: "read",
},
editMembers: {
object: {
resource_type: "organization_member",
organization_id: organizationId,
},
action: "update",
},
createGroup: {
object: {
resource_type: "group",
organization_id: organizationId,
},
action: "create",
},
viewGroups: {
object: {
resource_type: "group",
organization_id: organizationId,
},
action: "read",
},
editOrganization: {
object: {
resource_type: "organization",
organization_id: organizationId,
},
action: "update",
},
auditOrganization: {
object: {
resource_type: "audit_log",
organization_id: organizationId,
},
action: "read",
},
},
}),
};
};
54 changes: 46 additions & 8 deletionssite/src/contexts/auth/permissions.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,26 @@
export const checks = {
readAllUsers: "readAllUsers",
viewAllUsers: "viewAllUsers",
updateUsers: "updateUsers",
createUser: "createUser",
createTemplates: "createTemplates",
updateTemplates: "updateTemplates",
deleteTemplates: "deleteTemplates",
viewAuditLog: "viewAuditLog",
viewAnyAuditLog: "viewAnyAuditLog",
viewDeploymentValues: "viewDeploymentValues",
createGroup: "createGroup",
editDeploymentValues: "editDeploymentValues",
viewUpdateCheck: "viewUpdateCheck",
viewExternalAuthConfig: "viewExternalAuthConfig",
viewDeploymentStats: "viewDeploymentStats",
editWorkspaceProxies: "editWorkspaceProxies",
createOrganization: "createOrganization",
editAnyOrganization: "editAnyOrganization",
viewAnyGroup: "viewAnyGroup",
createGroup: "createGroup",
viewAllLicenses: "viewAllLicenses",
} as const;

export const permissionsToCheck = {
[checks.readAllUsers]: {
[checks.viewAllUsers]: {
object: {
resource_type: "user",
},
Expand DownExpand Up@@ -51,9 +56,10 @@ export const permissionsToCheck = {
},
action: "delete",
},
[checks.viewAuditLog]: {
[checks.viewAnyAuditLog]: {
object: {
resource_type: "audit_log",
any_org: true,
},
action: "read",
},
Expand All@@ -63,11 +69,11 @@ export const permissionsToCheck = {
},
action: "read",
},
[checks.createGroup]: {
[checks.editDeploymentValues]: {
object: {
resource_type: "group",
resource_type: "deployment_config",
},
action: "create",
action: "update",
},
[checks.viewUpdateCheck]: {
object: {
Expand All@@ -93,6 +99,38 @@ export const permissionsToCheck = {
},
action: "create",
},
[checks.createOrganization]: {
object: {
resource_type: "organization",
},
action: "create",
},
[checks.editAnyOrganization]: {
object: {
resource_type: "organization",
any_org: true,
},
action: "update",
},
[checks.viewAnyGroup]: {
object: {
resource_type: "group",
org_id: "any",
},
action: "read",
},
[checks.createGroup]: {
object: {
resource_type: "group",
},
action: "create",
},
[checks.viewAllLicenses]: {
object: {
resource_type: "license",
},
action: "read",
},
} as const;

export type Permissions = Record<keyof typeof permissionsToCheck, boolean>;
5 changes: 3 additions & 2 deletionssite/src/modules/dashboard/Navbar/Navbar.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -16,12 +16,13 @@ export const Navbar: FC = () => {
const { user: me, permissions, signOut } = useAuthenticated();
const featureVisibility = useFeatureVisibility();
const canViewAuditLog =
featureVisibility["audit_log"] && Boolean(permissions.viewAuditLog);
featureVisibility.audit_log && Boolean(permissions.viewAnyAuditLog);
const canViewDeployment = Boolean(permissions.viewDeploymentValues);
const canViewOrganizations =
Boolean(permissions.editAnyOrganization) &&
featureVisibility.multiple_organizations &&
experiments.includes("multi-organization");
const canViewAllUsers = Boolean(permissions.readAllUsers);
const canViewAllUsers = Boolean(permissions.viewAllUsers);
const proxyContextValue = useProxy();
const canViewHealth = canViewDeployment;

Expand Down
44 changes: 41 additions & 3 deletionssite/src/modules/dashboard/Navbar/NavbarView.stories.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
import type { Meta, StoryObj } from "@storybook/react";
import { within, userEvent } from "@storybook/test";
import { chromaticWithTablet } from "testHelpers/chromatic";
import { MockUser, MockUser2 } from "testHelpers/entities";
import { withDashboardProvider } from "testHelpers/storybook";
Expand All@@ -10,26 +11,63 @@ const meta: Meta<typeof NavbarView> = {
component: NavbarView,
args: {
user: MockUser,
canViewAllUsers: true,
canViewAuditLog: true,
canViewDeployment: true,
canViewAllUsers: true,
canViewHealth: true,
canViewOrganizations: true,
},
decorators: [withDashboardProvider],
};

export default meta;
type Story = StoryObj<typeof NavbarView>;

export const ForAdmin: Story = {};
export const ForAdmin: Story = {
play: async ({ canvasElement }) => {
const canvas = within(canvasElement);
await userEvent.click(canvas.getByRole("button", { name: "Deployment" }));
},
};

export const ForAuditor: Story = {
args: {
user: MockUser2,
canViewAllUsers: false,
canViewAuditLog: true,
canViewDeployment: false,
canViewHealth: false,
canViewOrganizations: false,
},
play: async ({ canvasElement }) => {
const canvas = within(canvasElement);
await userEvent.click(canvas.getByRole("button", { name: "Deployment" }));
},
};

export const ForOrgAdmin: Story = {
args: {
user: MockUser2,
canViewAllUsers: false,
canViewAuditLog: true,
canViewDeployment: false,
canViewHealth: false,
canViewOrganizations: true,
},
play: async ({ canvasElement }) => {
const canvas = within(canvasElement);
await userEvent.click(canvas.getByRole("button", { name: "Deployment" }));
},
};

export const ForMember: Story = {
args: {
user: MockUser2,
canViewAllUsers: false,
canViewAuditLog: false,
canViewDeployment: false,
canViewAllUsers: false,
canViewHealth: false,
canViewOrganizations: false,
},
};

Expand Down
13 changes: 7 additions & 6 deletionssite/src/pages/AuditPage/AuditPage.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -17,10 +17,9 @@ import {
import { AuditPageView } from "./AuditPageView";

const AuditPage: FC = () => {
const{ audit_log: isAuditLogVisible } = useFeatureVisibility();
constfeats = useFeatureVisibility();
const { experiments } = useDashboard();
const location = useLocation();
const isMultiOrg = experiments.includes("multi-organization");

/**
* There is an implicit link between auditsQuery and filter via the
Expand DownExpand Up@@ -75,7 +74,9 @@ const AuditPage: FC = () => {
// TODO: Once multi-org is stable, we should place this redirect into the
// router directly, if we still need to maintain it (for users who are
// typing the old URL manually or have it bookmarked).
if (isMultiOrg && location.pathname !== "/deployment/audit") {
const canViewOrganizations =
feats.multiple_organizations && experiments.includes("multi-organization");
if (canViewOrganizations && location.pathname !== "/deployment/audit") {
return <Navigate to={`/deployment/audit${location.search}`} replace />;
}

Expand All@@ -88,18 +89,18 @@ const AuditPage: FC = () => {
<AuditPageView
auditLogs={auditsQuery.data?.audit_logs}
isNonInitialPage={isNonInitialPage(searchParams)}
isAuditLogVisible={isAuditLogVisible}
isAuditLogVisible={feats.audit_log}
auditsQuery={auditsQuery}
error={auditsQuery.error}
showOrgDetails={isMultiOrg}
showOrgDetails={canViewOrganizations}
filterProps={{
filter,
error: auditsQuery.error,
menus: {
user: userMenu,
action: actionMenu,
resourceType: resourceTypeMenu,
organization:isMultiOrg ? organizationsMenu : undefined,
organization:canViewOrganizations ? organizationsMenu : undefined,
},
}}
/>
Expand Down
31 changes: 15 additions & 16 deletionssite/src/pages/DeploySettingsPage/DeploySettingsLayout.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -9,11 +9,12 @@ import { Stack } from "components/Stack/Stack";
import { useAuthenticated } from "contexts/auth/RequireAuth";
import { RequirePermission } from "contexts/auth/RequirePermission";
import { useDashboard } from "modules/dashboard/useDashboard";
import { useFeatureVisibility } from "modules/dashboard/useFeatureVisibility";
import { ManagementSettingsLayout } from "pages/ManagementSettingsPage/ManagementSettingsLayout";
import { Sidebar } from "./Sidebar";

type DeploySettingsContextValue = {
deploymentValues: DeploymentConfig;
deploymentValues: DeploymentConfig | undefined;
};

export const DeploySettingsContext = createContext<
Expand All@@ -33,9 +34,11 @@ export const useDeploySettings = (): DeploySettingsContextValue => {
export const DeploySettingsLayout: FC = () => {
const { experiments } = useDashboard();

const multiOrgExperimentEnabled = experiments.includes("multi-organization");
const feats = useFeatureVisibility();
const canViewOrganizations =
feats.multiple_organizations && experiments.includes("multi-organization");

returnmultiOrgExperimentEnabled ? (
returncanViewOrganizations ? (
<ManagementSettingsLayout />
) : (
<DeploySettingsLayoutInner />
Expand All@@ -52,19 +55,15 @@ const DeploySettingsLayoutInner: FC = () => {
<Stack css={{ padding: "48px 0" }} direction="row" spacing={6}>
<Sidebar />
<main css={{ maxWidth: 800, width: "100%" }}>
{deploymentConfigQuery.data ? (
<DeploySettingsContext.Provider
value={{
deploymentValues: deploymentConfigQuery.data,
}}
>
<Suspense fallback={<Loader />}>
<Outlet />
</Suspense>
</DeploySettingsContext.Provider>
) : (
<Loader />
)}
<DeploySettingsContext.Provider
value={{
deploymentValues: deploymentConfigQuery.data,
}}
>
<Suspense fallback={<Loader />}>
<Outlet />
</Suspense>
</DeploySettingsContext.Provider>
</main>
</Stack>
</Margins>
Expand Down
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
import type { FC } from "react";
import { Helmet } from "react-helmet-async";
import { Loader } from "components/Loader/Loader";
import { pageTitle } from "utils/page";
import { useDeploySettings } from "../DeploySettingsLayout";
import { ExternalAuthSettingsPageView } from "./ExternalAuthSettingsPageView";
Expand All@@ -13,7 +14,11 @@ const ExternalAuthSettingsPage: FC = () => {
<title>{pageTitle("External Authentication Settings")}</title>
</Helmet>

<ExternalAuthSettingsPageView config={deploymentValues.config} />
{deploymentValues ? (
<ExternalAuthSettingsPageView config={deploymentValues.config} />
) : (
<Loader />
)}
</>
);
};
Expand Down
Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp