Skip to content

fix: allow group members to read group information #14200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 24 commits into from
Aug 13, 2024
+734 −315
Merged

fix: allow group members to read group information #14200

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
2c6d037
- allow group members to read basic Group info
hugodutka Aug 6, 2024
2409072
rename ReducedGroup.member_count to ReducedGroup.total_member_count
hugodutka Aug 6, 2024
5391c15
use the reduced groups for user endpoint on the AccountPage
hugodutka Aug 6, 2024
5fcc218
rename UserWithGroupAndOrgID to GroupMemberRBACHelper
hugodutka Aug 7, 2024
2878c21
add the group_members_expanded db view
hugodutka Aug 9, 2024
3aa2a23
add comment on migration
hugodutka Aug 9, 2024
e428d40
rewrite group member queries to use the group_members_expanded view
hugodutka Aug 9, 2024
13ca3a9
add the RBAC ResourceGroupMember and add it to relevant roles
hugodutka Aug 9, 2024
1027d9f
rewrite GetGroupMembersByGroupID permission checks
hugodutka Aug 9, 2024
0aea7f8
- make the GroupMember type contain all user fields
hugodutka Aug 9, 2024
e5c5f3f
simplify RBAC check on group member count
hugodutka Aug 9, 2024
16e95d0
add the MemberTotalCount field to codersdk.Group
hugodutka Aug 9, 2024
d3b4d7c
remove the reduced groups endpoint, revert frontend to use the groups…
hugodutka Aug 9, 2024
b06f943
revert "simplify RBAC check on group member count" - new query didn't…
hugodutka Aug 9, 2024
4a65874
display `group.total_member_count` instead of `group.members.length` …
hugodutka Aug 9, 2024
1f4dcc7
adjust `total_member_count` on `MockGroup`
hugodutka Aug 9, 2024
f1513e0
fixes after rebase
hugodutka Aug 9, 2024
9ef0e0d
simplify RBAC check on GetGroupMembersCountByGroupID
hugodutka Aug 9, 2024
7627933
fix tests
hugodutka Aug 12, 2024
1080b29
resolve lint error
hugodutka Aug 12, 2024
19486da
update the groupsauth test to work with new group member permissions
hugodutka Aug 12, 2024
5373dd7
fix a mistake in test
hugodutka Aug 12, 2024
08646da
make ErrUserDeleted private
hugodutka Aug 13, 2024
4ec6adb
`dbgen.GroupMember` now fails when a supplied user or group doesn't e…
hugodutka Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add the RBAC ResourceGroupMember and add it to relevant roles
  • Loading branch information
@hugodutka
hugodutka committed Aug 12, 2024
commit 13ca3a9290e5b97efeff147a2b110217818a48f9
8 changes: 8 additions & 0 deletions coderd/rbac/object_gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions coderd/rbac/policy/policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,11 @@ var RBACPermissions = map[string]PermissionDefinition{
ActionUpdate: actDef("update a group"),
},
},
"group_member": {
Actions: map[Action]ActionDefinition{
ActionRead: actDef("read group members"),
},
},
"file": {
Actions: map[Action]ActionDefinition{
ActionCreate: actDef("create a file"),
Expand Down
13 changes: 9 additions & 4 deletions coderd/rbac/roles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -301,10 +301,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
Site: Permissions(map[string][]policy.Action{
// Should be able to read all template details, even in orgs they
// are not in.
ResourceTemplate.Type: {policy.ActionRead, policy.ActionViewInsights},
ResourceAuditLog.Type: {policy.ActionRead},
ResourceUser.Type: {policy.ActionRead},
ResourceGroup.Type: {policy.ActionRead},
ResourceTemplate.Type: {policy.ActionRead, policy.ActionViewInsights},
ResourceAuditLog.Type: {policy.ActionRead},
ResourceUser.Type: {policy.ActionRead},
ResourceGroup.Type: {policy.ActionRead},
ResourceGroupMember.Type: {policy.ActionRead},
// Allow auditors to query deployment stats and insights.
ResourceDeploymentStats.Type: {policy.ActionRead},
ResourceDeploymentConfig.Type: {policy.ActionRead},
Expand All @@ -329,6 +330,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
ResourceOrganization.Type: {policy.ActionRead},
ResourceUser.Type: {policy.ActionRead},
ResourceGroup.Type: {policy.ActionRead},
ResourceGroupMember.Type: {policy.ActionRead},
// Org roles are not really used yet, so grant the perm at the site level.
ResourceOrganizationMember.Type: {policy.ActionRead},
}),
Expand All @@ -351,6 +353,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
// Full perms to manage org members
ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
ResourceGroup.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
ResourceGroupMember.Type: {policy.ActionRead},
}),
Org: map[string][]Permission{},
User: []Permission{},
Expand Down Expand Up @@ -461,6 +464,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
ResourceAssignOrgRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
ResourceGroup.Type: ResourceGroup.AvailableActions(),
ResourceGroupMember.Type: ResourceGroupMember.AvailableActions(),
}),
},
User: []Permission{},
Expand All @@ -480,6 +484,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
// Assigning template perms requires this permission.
ResourceOrganizationMember.Type: {policy.ActionRead},
ResourceGroup.Type: {policy.ActionRead},
ResourceGroupMember.Type: {policy.ActionRead},
}),
},
User: []Permission{},
Expand Down
2 changes: 2 additions & 0 deletions codersdk/rbacresources_gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions site/src/api/rbacresources_gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ export const RBACResourceActions: Partial<
read: "read groups",
update: "update a group",
},
group_member: {
read: "read group members",
},
license: {
create: "create a license",
delete: "delete license",
Expand Down
2 changes: 2 additions & 0 deletions site/src/api/typesGenerated.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.