Skip to content

Auditor Role is able to read all templates, meaning they can create a workspace from any template #15891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Emyrk opened this issue Dec 16, 2024 · 4 comments · Fixed by #16075
Closed

Auditor Role is able to read all templates, meaning they can create a workspace from any template #15891

Emyrk opened this issue Dec 16, 2024 · 4 comments · Fixed by #16075
Assignees
@Emyrk
Labels
bug risk Prone to bugs security Area: security

Comments

@Emyrk
Copy link
Member

Emyrk commented Dec 16, 2024
edited
Loading

Our permissions do not determine the difference from read template and use template. Auditors are currently given read access to templates:

coder/coderd/rbac/roles.go

Line 302 in 202f7f7

ResourceTemplate.Type: {policy.ActionRead, policy.ActionViewInsights},

This was done assuming an auditor would also want to audit the insights and template information, however this is complicating the role into a Template-Reader + Auditor access.

Our docs do not mention reading templates for the Auditor role, so we should drop this permission. Calling it a bug, rather than trying to maintain backwards compatibility.

https://coder.com/docs/admin/users/groups-roles#roles

Reproduce

  1. Create a new user, and make them an auditor
  2. Create a new template, remove the everyone group from the permissions
  3. Have the auditor user create a workspace from said template
@Emyrk Emyrk added the security Area: security label Dec 16, 2024
@coder-labeler coder-labeler bot added the bug risk Prone to bugs label Dec 16, 2024
@bpmct
Copy link
Member

bpmct commented Dec 17, 2024
edited
Loading

IMO Global auditors should have read access to all templates but shouldn't necessarily be able to create workspaces. I'm in favor of future custom roles that actually disallow users (maybe a restricted auditor) from creating any type of workspace.

@bpmct
Copy link
Member

bpmct commented Dec 17, 2024
edited
Loading

Let's research how other products treat the "auditor" role before committing to a specific solution, though. My mind jumps to "readonly access to everything, but shouldn't be allowed to create cloud infra," but there are other platforms we can validate with (e.g. Hashicorp Cloud).

@spikecurtis
Copy link
Contributor

We should be distinguishing between "read" and "use" verbs. They are clearly different things and conflating them is a root cause of this issue.

@Emyrk
Copy link
Member Author

Emyrk commented Jan 6, 2025

@spikecurtis agreed

@Emyrk Emyrk mentioned this issue Jan 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emyrk Emyrk

Labels
bug risk Prone to bugs security Area: security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: implement 'use' verb to template object, read has less scope now coder/coder
3 participants
@spikecurtis @Emyrk @bpmct