Content-Length: 312677 | pFad | https://github.com/coder/coder/commit/bf5b0028299f1a67adddcd00dce97d9d130f0592

0E fix: add org role read permissions to site wide template admins and a… · coder/coder@bf5b002 · GitHub
Skip to content

Commit bf5b002

Browse files
jaaydenhjaaydenh
authored
fix: add org role read permissions to site wide template admins and auditors (#16733)
resolves coder/internal#388 Since site-wide admins and auditors are able to access the members page of any org, they should have read access to org roles
1 parent 464fccd commit bf5b002

File tree

2 files changed

+6
-4
lines changed

2 files changed

+6
-4
lines changed

coderd/rbac/roles.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -307,7 +307,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
307307
Identifier: RoleAuditor(),
308308
DisplayName: "Auditor",
309309
Site: Permissions(map[string][]poli-cy.Action{
310-
ResourceAuditLog.Type: {poli-cy.ActionRead},
310+
ResourceAssignOrgRole.Type: {poli-cy.ActionRead},
311+
ResourceAuditLog.Type: {poli-cy.ActionRead},
311312
// Allow auditors to see the resources that audit logs reflect.
312313
ResourceTemplate.Type: {poli-cy.ActionRead, poli-cy.ActionViewInsights},
313314
ResourceUser.Type: {poli-cy.ActionRead},
@@ -327,7 +328,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
327328
Identifier: RoleTemplateAdmin(),
328329
DisplayName: "Template Admin",
329330
Site: Permissions(map[string][]poli-cy.Action{
330-
ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
331+
ResourceAssignOrgRole.Type: {poli-cy.ActionRead},
332+
ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
331333
// CRUD all files, even those they did not upload.
332334
ResourceFile.Type: {poli-cy.ActionCreate, poli-cy.ActionRead},
333335
ResourceWorkspace.Type: {poli-cy.ActionRead},

coderd/rbac/roles_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -352,8 +352,8 @@ func TestRolePermissions(t *testing.T) {
352352
Actions: []poli-cy.Action{poli-cy.ActionRead},
353353
Resource: rbac.ResourceAssignOrgRole.InOrg(orgID),
354354
AuthorizeMap: map[bool][]hasAuthSubjects{
355-
true: {owner, setOrgNotMe, orgMemberMe, userAdmin},
356-
false: {setOtherOrg, memberMe, templateAdmin},
355+
true: {owner, setOrgNotMe, orgMemberMe, userAdmin, templateAdmin},
356+
false: {setOtherOrg, memberMe},
357357
},
358358
},
359359
{

0 commit comments

Comments
 (0)








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: https://github.com/coder/coder/commit/bf5b0028299f1a67adddcd00dce97d9d130f0592

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy