Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: implement WorkspaceCreationBan org role#16686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
jaaydenh merged 11 commits intomainfromstevenmasley/workspaceban
Feb 27, 2025

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedFeb 24, 2025
edited
Loading

Using negative permissions, this role prevents a user's ability to create & delete a workspace within a given organization.

Workspaces are uniquely owned by an org and a user, so the org has to supercede the user permission with a negative permission.

Use case

Organizations must be able to restrict a member's ability to create a workspace. This permission is implicitly granted (see#16546 (comment)).

To revoke this permission, the solution chosen was to use negative permissions in a built in role calledWorkspaceCreationBan.

Rational

Using negative permissions is new territory, and not ideal. However, workspaces are in a unique position.

Workspaces have 2 owners. The organization and the user. To prevent users from creating a workspace in another organization, animplied negative permission is used. So the truth table looks like:how to read this tablehere

Role (example)SiteOrgUserResult
non-org-member_NYN_N
user__YY
WorkspaceBan_NYN
unauthenticated___N
org-admin_YYN_Y

This new role,WorkspaceCreationBan is the same truth table condition as if the user was not a member of the organization (when doing a workspace create/delete). So this behavioris not entirely new.

How to do it without a negative permission

The alternate approach would be to remove the implied permission, and grant it via and organization role. However this would add new behavior that an organizational role has the ability to grant a user permissions on their own resources?

It does not make sense for an org role to prevent user from changing their profile information for example. So the only option is to create a new truth table column for resources that are owned by both an organization and a user.

Role (example)SiteOrgUser+OrgUserResult
non-org-member_N__N
user____N
WorkspaceAllow__Y_Y
unauthenticated____N

Now a user has no opinion on if they can create a workspace, which feels a little wrong. A user should have the authority over what is theres.

There is fundamentalphilosophical question of "Who does a workspace belong to?". The user has some set of autonomy, yet it is the organization that controls it's existence. A head scratcher 🤔

Will we need more negative built in roles?

There are few resources that have shared ownership. OnlyResourceOrganizationMember andResourceGroupMember. Since negative permissions is intended to revoke access to a shared resource, thenno.This is the only one we need.

Classic resources likeResourceTemplate are entirely controlled by the Organization permissions. And resources entirely in the user control (like user profile) are only controlled byUser permissions.

Screenshot 2025-02-26 at 22 26 52

Using negative permissions, this role prevents a user's abilityto create & delete a workspace within a given organization.Workspaces are uniquely owned by an org and a user, so the orghas to supercede the user permission with a negative permission.
@jaaydenhjaaydenh self-assigned thisFeb 25, 2025
@jaaydenhjaaydenh marked this pull request as ready for reviewFebruary 26, 2025 18:41
Copy link
Member

@aslilacaslilac left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

it bugs me a tiny bit that the text wraps on the ban role. maybe we make the menu a little wider, or the text a little smaller? it's close enough that maybe even lowering the font weight would make it fit

left a few minor comments but this looks pretty good!

jaaydenh reacted with thumbs up emoji
Comment on lines +115 to +120
const filteredRoles = roles.filter(
(role) => role.name !== "organization-workspace-creation-ban",
);
const advancedRoles = roles.filter(
(role) => role.name === "organization-workspace-creation-ban",
);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

if we wanted to be brave we could useObject.groupBy here, but that function is super new :\ I'm not crazy about iterating over the list twice but it'll always be short so I'm probably overthinking it

@jaaydenhjaaydenh merged commitcccdf1e intomainFeb 27, 2025
33 checks passed
@jaaydenhjaaydenh deleted the stevenmasley/workspaceban branchFebruary 27, 2025 11:23
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsFeb 27, 2025
@stirby
Copy link
Collaborator

/cherry-pick release/2.20

Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@jaaydenhjaaydenhjaaydenh left review comments

@aslilacaslilacaslilac approved these changes

Assignees

@jaaydenhjaaydenh

@EmyrkEmyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

4 participants
@Emyrk@stirby@aslilac@jaaydenh
[8]ページ先頭
©2009-2025 Movatter.jp