Skip to content

Commit b15c422

Browse files
dannykoppingdannykopping
committed
RBAC fixup
Signed-off-by: Danny Kopping <danny@coder.com>
1 parent 0ed8de7 commit b15c422

File tree

2 files changed

+10
-7
lines changed

2 files changed

+10
-7
lines changed

coderd/rbac/roles.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -445,6 +445,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
445445
Org: map[string][]Permission{
446446
organizationID.String(): Permissions(map[string][]policy.Action{
447447
ResourceAuditLog.Type: {policy.ActionRead},
448+
// The org-wide auditor is allowed to read *all* frobulators in their own org, regardless of who owns them.
449+
ResourceFrobulator.Type: {policy.ActionRead},
448450
}),
449451
},
450452
User: []Permission{},

coderd/rbac/roles_test.go

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -691,13 +691,14 @@ func TestRolePermissions(t *testing.T) {
691691
},
692692
},
693693
{
694-
// Owner should be able to CRUD any other user's frobulators
695-
Name: "FrobulatorsAnyUser",
696-
Actions: []policy.Action{policy.ActionRead, policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
697-
Resource: rbac.ResourceFrobulator.WithOwner(uuid.New().String()), // read frobulators of any user
694+
// Owner should be able to modify any other user's frobulators in their own org
695+
// Org admin should be able to modify any other user's frobulators in their own org
696+
Name: "FrobulatorsModifyAnyUser",
697+
Actions: []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
698+
Resource: rbac.ResourceFrobulator.WithOwner(uuid.New().String()).InOrg(orgID), // read frobulators of any user
698699
AuthorizeMap: map[bool][]hasAuthSubjects{
699-
true: {owner},
700-
false: {memberMe, orgMemberMe, orgAdmin, setOtherOrg, templateAdmin, userAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
700+
true: {owner, orgAdmin},
701+
false: {memberMe, orgMemberMe, setOtherOrg, templateAdmin, userAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
701702
},
702703
},
703704
{
@@ -706,7 +707,7 @@ func TestRolePermissions(t *testing.T) {
706707
// Owner should be able to read any other user's frobulators
707708
Name: "FrobulatorsReadAnyUserInOrg",
708709
Actions: []policy.Action{policy.ActionRead},
709-
Resource: rbac.ResourceFrobulator.InOrg(orgID).WithOwner(uuid.New().String()), // read frobulators of any user
710+
Resource: rbac.ResourceFrobulator.WithOwner(uuid.New().String()).InOrg(orgID), // read frobulators of any user
710711
AuthorizeMap: map[bool][]hasAuthSubjects{
711712
true: {owner, orgAdmin, orgAuditor},
712713
false: {memberMe, orgMemberMe, setOtherOrg, templateAdmin, userAdmin, orgTemplateAdmin, orgUserAdmin},

0 commit comments

Comments
 (0)