Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2533032

Browse files
aslilacaslilac
committed
chore: clean up built-in role permissions (#16645)
1 parent a36ef7b commit 2533032

File tree

4 files changed

+37
-32
lines changed

4 files changed

+37
-32
lines changed

coderd/rbac/roles.go

+16-8
Original file line numberDiff line numberDiff line change
@@ -283,10 +283,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
283283
Permissions(map[string][]policy.Action{
284284
// Reduced permission set on dormant workspaces. No build, ssh, or exec
285285
ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
286-
287286
// Users cannot do create/update/delete on themselves, but they
288287
// can read their own details.
289288
ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
289+
// Can read their own organization member record
290+
ResourceOrganizationMember.Type: {policy.ActionRead},
290291
// Users can create provisioner daemons scoped to themselves.
291292
ResourceProvisionerDaemon.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
292293
})...,
@@ -423,12 +424,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
423424
ResourceAssignOrgRole.Type: {policy.ActionRead},
424425
}),
425426
},
426-
User: []Permission{
427-
{
428-
ResourceType: ResourceOrganizationMember.Type,
429-
Action: policy.ActionRead,
430-
},
431-
},
427+
User: []Permission{},
432428
}
433429
},
434430
orgAuditor: func(organizationID uuid.UUID) Role {
@@ -439,6 +435,12 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
439435
Org: map[string][]Permission{
440436
organizationID.String(): Permissions(map[string][]policy.Action{
441437
ResourceAuditLog.Type: {policy.ActionRead},
438+
// Allow auditors to see the resources that audit logs reflect.
439+
ResourceTemplate.Type: {policy.ActionRead, policy.ActionViewInsights},
440+
ResourceGroup.Type: {policy.ActionRead},
441+
ResourceGroupMember.Type: {policy.ActionRead},
442+
ResourceOrganization.Type: {policy.ActionRead},
443+
ResourceOrganizationMember.Type: {policy.ActionRead},
442444
}),
443445
},
444446
User: []Permission{},
@@ -458,6 +460,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
458460
organizationID.String(): Permissions(map[string][]policy.Action{
459461
// Assign, remove, and read roles in the organization.
460462
ResourceAssignOrgRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
463+
ResourceOrganization.Type: {policy.ActionRead},
461464
ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
462465
ResourceGroup.Type: ResourceGroup.AvailableActions(),
463466
ResourceGroupMember.Type: ResourceGroupMember.AvailableActions(),
@@ -479,10 +482,15 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
479482
ResourceFile.Type: {policy.ActionCreate, policy.ActionRead},
480483
ResourceWorkspace.Type: {policy.ActionRead},
481484
// Assigning template perms requires this permission.
485+
ResourceOrganization.Type: {policy.ActionRead},
482486
ResourceOrganizationMember.Type: {policy.ActionRead},
483487
ResourceGroup.Type: {policy.ActionRead},
484488
ResourceGroupMember.Type: {policy.ActionRead},
485-
ResourceProvisionerJobs.Type: {policy.ActionRead},
489+
// Since templates have to correlate with provisioners,
490+
// the ability to create templates and provisioners has
491+
// a lot of overlap.
492+
ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
493+
ResourceProvisionerJobs.Type: {policy.ActionRead},
486494
}),
487495
},
488496
User: []Permission{},

coderd/rbac/roles_test.go

+18-18
Original file line numberDiff line numberDiff line change
@@ -217,20 +217,20 @@ func TestRolePermissions(t *testing.T) {
217217
},
218218
{
219219
Name: "Templates",
220-
Actions: []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
220+
Actions: []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
221221
Resource: rbac.ResourceTemplate.WithID(templateID).InOrg(orgID),
222222
AuthorizeMap: map[bool][]hasAuthSubjects{
223223
true: {owner, orgAdmin, templateAdmin, orgTemplateAdmin},
224-
false: {setOtherOrg, orgAuditor, orgUserAdmin, memberMe, orgMemberMe, userAdmin},
224+
false: {setOtherOrg, orgUserAdmin, orgAuditor, memberMe, orgMemberMe, userAdmin},
225225
},
226226
},
227227
{
228228
Name: "ReadTemplates",
229-
Actions: []policy.Action{policy.ActionRead},
229+
Actions: []policy.Action{policy.ActionRead, policy.ActionViewInsights},
230230
Resource: rbac.ResourceTemplate.InOrg(orgID),
231231
AuthorizeMap: map[bool][]hasAuthSubjects{
232-
true: {owner, orgAdmin, templateAdmin, orgTemplateAdmin},
233-
false: {setOtherOrg, orgAuditor, orgUserAdmin, memberMe, userAdmin, orgMemberMe},
232+
true: {owner, orgAuditor, orgAdmin, templateAdmin, orgTemplateAdmin},
233+
false: {setOtherOrg, orgUserAdmin, memberMe, userAdmin, orgMemberMe},
234234
},
235235
},
236236
{
@@ -377,8 +377,8 @@ func TestRolePermissions(t *testing.T) {
377377
Actions: []policy.Action{policy.ActionRead},
378378
Resource: rbac.ResourceOrganizationMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),
379379
AuthorizeMap: map[bool][]hasAuthSubjects{
380-
true: {owner, orgAdmin, userAdmin, orgMemberMe, templateAdmin, orgUserAdmin, orgTemplateAdmin},
381-
false: {memberMe, setOtherOrg, orgAuditor},
380+
true: {owner, orgAuditor, orgAdmin, userAdmin, orgMemberMe, templateAdmin, orgUserAdmin, orgTemplateAdmin},
381+
false: {memberMe, setOtherOrg},
382382
},
383383
},
384384
{
@@ -404,7 +404,7 @@ func TestRolePermissions(t *testing.T) {
404404
}),
405405
AuthorizeMap: map[bool][]hasAuthSubjects{
406406
true: {owner, orgAdmin, userAdmin, orgUserAdmin},
407-
false: {setOtherOrg, memberMe, orgMemberMe, templateAdmin, orgTemplateAdmin, orgAuditor, groupMemberMe},
407+
false: {setOtherOrg, memberMe, orgMemberMe, templateAdmin, orgTemplateAdmin, groupMemberMe, orgAuditor},
408408
},
409409
},
410410
{
@@ -416,26 +416,26 @@ func TestRolePermissions(t *testing.T) {
416416
},
417417
}),
418418
AuthorizeMap: map[bool][]hasAuthSubjects{
419-
true: {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, groupMemberMe},
420-
false: {setOtherOrg, memberMe, orgMemberMe, orgAuditor},
419+
true: {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, groupMemberMe, orgAuditor},
420+
false: {setOtherOrg, memberMe, orgMemberMe},
421421
},
422422
},
423423
{
424424
Name: "GroupMemberMeRead",
425425
Actions: []policy.Action{policy.ActionRead},
426426
Resource: rbac.ResourceGroupMember.WithID(currentUser).InOrg(orgID).WithOwner(currentUser.String()),
427427
AuthorizeMap: map[bool][]hasAuthSubjects{
428-
true: {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgMemberMe, groupMemberMe},
429-
false: {setOtherOrg, memberMe, orgAuditor},
428+
true: {owner, orgAuditor, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgMemberMe, groupMemberMe},
429+
false: {setOtherOrg, memberMe},
430430
},
431431
},
432432
{
433433
Name: "GroupMemberOtherRead",
434434
Actions: []policy.Action{policy.ActionRead},
435435
Resource: rbac.ResourceGroupMember.WithID(adminID).InOrg(orgID).WithOwner(adminID.String()),
436436
AuthorizeMap: map[bool][]hasAuthSubjects{
437-
true: {owner, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin},
438-
false: {setOtherOrg, memberMe, orgAuditor, orgMemberMe, groupMemberMe},
437+
true: {owner, orgAuditor, orgAdmin, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin},
438+
false: {setOtherOrg, memberMe, orgMemberMe, groupMemberMe},
439439
},
440440
},
441441
{
@@ -534,8 +534,8 @@ func TestRolePermissions(t *testing.T) {
534534
Actions: []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
535535
Resource: rbac.ResourceProvisionerDaemon.InOrg(orgID),
536536
AuthorizeMap: map[bool][]hasAuthSubjects{
537-
true: {owner, templateAdmin, orgAdmin},
538-
false: {setOtherOrg, orgTemplateAdmin, orgUserAdmin, memberMe, orgMemberMe, userAdmin, orgAuditor},
537+
true: {owner, templateAdmin, orgAdmin, orgTemplateAdmin},
538+
false: {setOtherOrg, orgAuditor, orgUserAdmin, memberMe, orgMemberMe, userAdmin},
539539
},
540540
},
541541
{
@@ -552,8 +552,8 @@ func TestRolePermissions(t *testing.T) {
552552
Actions: []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
553553
Resource: rbac.ResourceProvisionerDaemon.WithOwner(currentUser.String()).InOrg(orgID),
554554
AuthorizeMap: map[bool][]hasAuthSubjects{
555-
true: {owner, templateAdmin, orgMemberMe, orgAdmin},
556-
false: {setOtherOrg, memberMe, userAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
555+
true: {owner, templateAdmin, orgTemplateAdmin, orgMemberMe, orgAdmin},
556+
false: {setOtherOrg, memberMe, userAdmin, orgUserAdmin, orgAuditor},
557557
},
558558
},
559559
{

site/src/modules/management/OrganizationSidebarView.tsx

+3-5
Original file line numberDiff line numberDiff line change
@@ -167,11 +167,9 @@ const OrganizationSettingsNavigation: FC<
167167
return (
168168
<>
169169
<div className="flex flex-col gap-1 my-2">
170-
{orgPermissions.viewMembers && (
171-
<SettingsSidebarNavItem end href={urlForSubpage(organization.name)}>
172-
Members
173-
</SettingsSidebarNavItem>
174-
)}
170+
<SettingsSidebarNavItem end href={urlForSubpage(organization.name)}>
171+
Members
172+
</SettingsSidebarNavItem>
175173
{orgPermissions.viewGroups && (
176174
<SettingsSidebarNavItem
177175
href={urlForSubpage(organization.name, "groups")}

site/src/modules/management/organizationPermissions.tsx

-1
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,6 @@ export const canViewOrganization = (
114114
permissions !== undefined &&
115115
(permissions.viewMembers ||
116116
permissions.viewGroups ||
117-
permissions.viewOrgRoles ||
118117
permissions.viewProvisioners ||
119118
permissions.viewIdpSyncSettings)
120119
);

0 commit comments

Comments
 (0)