Remove need to be in the org for the group to work in the rego

Emyrk · Emyrk · commit dc65257f47f5 · 2022-09-26T14:02:45.000-04:00
diff --git a/coderd/rbac/partial.go b/coderd/rbac/partial.go
@@ -80,7 +80,7 @@ EachQueryLoop:
 		// inspect this any further. But just in case, we will verify each expression
 		// did resolve to 'true'. This is purely defensive programming.
 		for _, exp := range results[0].Expressions {
-			if exp.String() != "true" {
+			if v, ok := exp.Value.(bool); !ok || !v {
 				continue EachQueryLoop
 			}
 		}
@@ -117,6 +117,7 @@ func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, s
 			"input.object.owner",
 			"input.object.org_owner",
 			"input.object.acl_user_list",
+			"input.object.acl_group_list",
 		}),
 		rego.Input(input),
 	).Partial(ctx)
diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
@@ -208,9 +208,9 @@ acl_allow {
 	# 	Currently the simplfied queries return extra queries that are always
 	# 	false. If these 2 lines are combined, we reduce the number of queries
 	# 	returned by partial execution.
-	input.object.org_owner != ""
+#	input.object.org_owner != ""
 	# Only people in the org can use the team access.
-	org_mem
+#	org_mem
 	group := input.subject.groups[_]
 	perms := input.object.acl_group_list[group]
 	# Either the input action or wildcard
