Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat(enterprise): implement organization "disable workspace sharing" option#21376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
geokat wants to merge2 commits intogeokat/internal-1073-make-org-member-role-customizable-per-org
base:geokat/internal-1073-make-org-member-role-customizable-per-org
Choose a base branch
Loading
fromgeokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org

Conversation

@geokat
Copy link
Contributor

@geokatgeokat commentedDec 22, 2025
edited
Loading

Part of a series (2 stacked PRs) thatclosescoder/internal#1073

  • PR1/2
  • PR 2/2 (this one)

Adds a per-organization setting to disable workspace sharing. When enabled,
all existing workspace ACLs in the organization are cleared and workspace
sharing API endpoints return403 Forbidden.

This complements the existing site-wide--disable-workspace-sharing flag by
providing more granular control at the organization level.

Changes

  • New API endpoints for organization workspace sharing settings:
    • GET/organizations/{org}/settings/workspace-sharing
    • PATCH/organizations/{org}/settings/workspace-sharing
  • CLI commands:coder organizations settings show workspace-sharing
    andcoder organizations settings set workspace-sharing
  • When sharing is disabled for an organization:
    • All existing workspace ACLs are cleared (DeleteWorkspaceACLsByOrganization)
    • ACL endpoints (GET/PATCH/DELETE/workspaces/{id}/acl) return403 Forbidden
    • The org-member role is reconciled to remove sharing permissions
  • Audit logging for settings changes

Implementation notes

  • Consideredorganization edit --disable-workspace-sharing but chose the settings
    endpoint pattern for extensibility (e.g., future settings like default share level, allowed
    share levels)
  • The setting is stored on the organizations table asworkspace_sharing_disabled
  • Disabling sharing is a destructive operation that removes all existing ACL entries
  • Re-enabling sharing does not restore previously cleared ACLs

@geokat
Copy link
ContributorAuthor

  • New API endpoints for organization workspace sharing settings:
    • GET/organizations/{org}/settings/workspace-sharing
    • PATCH/organizations/{org}/settings/workspace-sharing
  • CLI commands:coder organizations settings show workspace-sharing
    andcoder organizations settings set workspace-sharing

Now I'm not sure if we want to exposesharing_disabled as aworkspace-sharing setting like I did here or asorganization edit --workspace-sharing-disabled=true (which would require creating a whole neworganization edit sub-command), or maybe some other way.

It's a UX question but maybe also an authz one: as a setting (the former case) it could be easily guarded with a separate RBAC resource type if necessary (e.g.ResourceWorkspaceSharingSettings) whereas as an organization property (the latter) it would fall underActionUpdate onResourceOrganization?

@aslilac
Copy link
Member

just as a heads up, we usually try to limit prs to about +500 lines. a little bit bigger is fine, but this is significantly over the usual limit, which will make it much harder for us to review quickly/effectively.

geokat reacted with thumbs up emoji

@geokatgeokat changed the base branch frommain togeokat/internal-1073-make-org-member-role-customizable-per-orgDecember 22, 2025 23:47
@geokat
Copy link
ContributorAuthor

just as a heads up, we usually try to limit prs to about +500 lines. a little bit bigger is fine, but this is significantly over the usual limit, which will make it much harder for us to review quickly/effectively.

My bad, I should have used#21359 as the base branch because these two are stacked. Fixed.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@EmyrkEmyrkAwaiting requested review from Emyrk

@aslilacaslilacAwaiting requested review from aslilac

Assignees

@geokatgeokat

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement organization "disable workspace sharing" option

3 participants

@geokat@aslilac
[8]ページ先頭
©2009-2025 Movatter.jp