diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go index db62bbd6e6d0d..7e0cf0c757da5 100644 --- a/coderd/rbac/roles.go +++ b/coderd/rbac/roles.go @@ -274,8 +274,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) { DisplayName: "Member", Site: Permissions(map[string][]policy.Action{ ResourceAssignRole.Type: {policy.ActionRead}, - // All users can see the provisioner daemons. - ResourceProvisionerDaemon.Type: {policy.ActionRead}, // All users can see OAuth2 provider applications. ResourceOauth2App.Type: {policy.ActionRead}, ResourceWorkspaceProxy.Type: {policy.ActionRead}, @@ -414,18 +412,15 @@ func ReloadBuiltinRoles(opts *RoleOptions) { DisplayName: "", Site: []Permission{}, Org: map[string][]Permission{ - organizationID.String(): { - { - // All org members can read the organization - ResourceType: ResourceOrganization.Type, - Action: policy.ActionRead, - }, - { - // Can read available roles. - ResourceType: ResourceAssignOrgRole.Type, - Action: policy.ActionRead, - }, - }, + organizationID.String(): Permissions(map[string][]policy.Action{ + // All users can see the provisioner daemons for workspace + // creation. + ResourceProvisionerDaemon.Type: {policy.ActionRead}, + // All org members can read the organization + ResourceOrganization.Type: {policy.ActionRead}, + // Can read available roles. + ResourceAssignOrgRole.Type: {policy.ActionRead}, + }), }, User: []Permission{ { diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go index fb2a85a59bfe3..bf537f815cb2b 100644 --- a/coderd/rbac/roles_test.go +++ b/coderd/rbac/roles_test.go @@ -531,9 +531,8 @@ func TestRolePermissions(t *testing.T) { Actions: []policy.Action{policy.ActionRead}, Resource: rbac.ResourceProvisionerDaemon.InOrg(orgID), AuthorizeMap: map[bool][]hasAuthSubjects{ - // This should be fixed when multi-org goes live - true: {setOtherOrg, owner, templateAdmin, setOrgNotMe, memberMe, orgMemberMe, userAdmin}, - false: {}, + true: {owner, templateAdmin, setOrgNotMe, orgMemberMe}, + false: {setOtherOrg, memberMe, userAdmin}, }, }, { diff --git a/enterprise/coderd/provisionerdaemons_test.go b/enterprise/coderd/provisionerdaemons_test.go index e2755105c4009..83475c31bba9d 100644 --- a/enterprise/coderd/provisionerdaemons_test.go +++ b/enterprise/coderd/provisionerdaemons_test.go @@ -739,7 +739,7 @@ func TestGetProvisionerDaemons(t *testing.T) { t.Parallel() dv := coderdtest.DeploymentValues(t) dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)} - client, _ := coderdenttest.New(t, &coderdenttest.Options{ + client, first := coderdenttest.New(t, &coderdenttest.Options{ Options: &coderdtest.Options{ DeploymentValues: dv, }, @@ -753,6 +753,7 @@ func TestGetProvisionerDaemons(t *testing.T) { }) org := coderdenttest.CreateOrganization(t, client, coderdenttest.CreateOrganizationOptions{}) orgAdmin, _ := coderdtest.CreateAnotherUser(t, client, org.ID, rbac.ScopedRoleOrgAdmin(org.ID)) + outsideOrg, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID) res, err := orgAdmin.CreateProvisionerKey(context.Background(), org.ID, codersdk.CreateProvisionerKeyRequest{ Name: "my-key", @@ -800,5 +801,9 @@ func TestGetProvisionerDaemons(t *testing.T) { assert.Equal(t, buildinfo.Version(), pkDaemons[0].Daemons[0].Version) assert.Equal(t, proto.CurrentVersion.String(), pkDaemons[0].Daemons[0].APIVersion) assert.Equal(t, keys[0].ID, pkDaemons[0].Daemons[0].KeyID) + + // Verify user outside the org cannot read the provisioners + _, err = outsideOrg.ListProvisionerKeyDaemons(ctx, org.ID) + require.Error(t, err) }) }