@@ -76,25 +76,54 @@ type UserRoles struct {
7676 OrganizationRoles map [uuid.UUID ][]string `json:"organization_roles"`
7777}
7878
79- type UserPermissionCheckObject struct {
80- ResourceType string `json:"resource_type,omitempty"`
81- OwnerID string `json:"owner_id,omitempty"`
82- OrganizationID string `json:"organization_id,omitempty"`
83- ResourceID string `json:"resource_id,omitempty"`
84- }
85-
8679type UserPermissionCheckResponse map [string ]bool
8780
8881// UserPermissionCheckRequest is a structure instead of a map because
8982// go-playground/validate can only validate structs. If you attempt to pass
9083// a map into 'httpapi.Read', you will get an invalid type error.
9184type UserPermissionCheckRequest struct {
85+ // Checks is a map keyed with an arbitrary string to a permission check.
86+ // The key can be any string that is helpful to the caller, and allows
87+ // multiple permission checks to be run in a single request.
88+ // The key ensures that each permission check has the same key in the
89+ // response.
9290 Checks map [string ]UserPermissionCheck `json:"checks"`
9391}
9492
93+ // UserPermissionCheck is used to check if a user can do a given action
94+ // to a given set of objects.
9595type UserPermissionCheck struct {
96+ // Object can represent a "set" of objects, such as:
97+ // - All workspaces in an organization
98+ // - All workspaces owned by me
99+ // - All workspaces across the entire product
100+ // When defining an object, use the most specific language when possible to
101+ // produce the smallest set. Meaning to set as many fields on 'Object' as
102+ // you can. Example, if you want to check if you can update all workspaces
103+ // owned by 'me', try to also add an 'OrganizationID' to the settings.
104+ // Omitting the 'OrganizationID' could produce the incorrect value, as
105+ // workspaces have both `user` and `organization` owners.
96106 Object UserPermissionCheckObject `json:"object"`
97- Action string `json:"action"`
107+ // Action can be 'create', 'read', 'update', or 'delete'
108+ Action string `json:"action"`
109+ }
110+
111+ type UserPermissionCheckObject struct {
112+ // ResourceType is the name of the resource.
113+ // './coderd/rbac/object.go' has the list of valid resource types.
114+ ResourceType string `json:"resource_type,omitempty"`
115+ // OwnerID (optional) is a user_id. It adds the set constraint to all resources owned
116+ // by a given user.
117+ OwnerID string `json:"owner_id,omitempty"`
118+ // OrganizationID (optional) is an organization_id. It adds the set constraint to
119+ // all resources owned by a given organization.
120+ OrganizationID string `json:"organization_id,omitempty"`
121+ // ResourceID (optional) reduces the set to a singular resource. This assigns
122+ // a resource ID to the resource type, eg: a single workspace.
123+ // The rbac library will not fetch the resource from the database, so if you
124+ // are using this option, you should also set the 'OwnerID' and 'OrganizationID'
125+ // if possible. Be as specific as possible using all the fields relevant.
126+ ResourceID string `json:"resource_id,omitempty"`
98127}
99128
100129// LoginWithPasswordRequest enables callers to authenticate with email and password.
0 commit comments