Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: implement acl for workspaces#19094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
aslilac merged 10 commits intomainfromlilac/workspaces-acl
Jul 30, 2025
Merged

feat: implement acl for workspaces#19094

aslilac merged 10 commits intomainfromlilac/workspaces-acl
Jul 30, 2025

Conversation

aslilac
Copy link
Member

@aslilacaslilac commentedJul 29, 2025
edited
Loading

  • Refactors (what is now named)ACLMappingVar to support permissions lists stored in a field rather than directly in the mapping
  • Use that to give workspace resources actual ACL matchers
  • Adds the ACL columns to theworkspaces table

@aslilac
Copy link
MemberAuthor

aslilac commentedJul 29, 2025
edited
Loading

I'm concerned about the security implications of exposing this value too prominently, and we have a lot queries that currently selectworkspaces.*. Am I over thinking it or should we pare back on some of those to be more selective on the columns they get?

Edit: I guess it doesn't really matter if the db types have this column. We'd have to expose them through the codersdk types manually still.

Copy link
Member

@EmyrkEmyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Wait, not done reviewing! Sorry, finishing up. Misclicked

Comment on lines 62 to 65
// "left" will be a map of group names to actions in rego.
//{
// "all_users": ["read"]
//}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This is not 100% correct anymore. Maybe just note theSubField is"" for this example.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think this is still correct tho. by the time it gets to rego it will just be a list of actions because the subfield gets handled in sql right? the rego policy doesn't even know about the indirection

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The rego just gets a slice of actions iirc. I will need to double check, we can keep this for now

@aslilacaslilac merged commiteeb0bbe intomainJul 30, 2025
28 checks passed
@aslilacaslilac deleted the lilac/workspaces-acl branchJuly 30, 2025 23:02
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJul 30, 2025
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@EmyrkEmyrkEmyrk approved these changes

@brettkolodnybrettkolodnyAwaiting requested review from brettkolodny

Assignees

@aslilacaslilac

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2 participants
@aslilac@Emyrk
[8]ページ先頭
©2009-2025 Movatter.jp