Skip to content

feat: remove "view all users" from members #8447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

feat: remove "view all users" from members #8447

wants to merge 6 commits into from

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Jul 11, 2023
edited
Loading

Moved to #8650

What this does

Removes the rbac permission for users to read all other users on the site.

Closes #5002

Changes

Permission Changes

  • ResourceTypeUser now owned by user_id of itself.
  • member could read all Users --> member can read only themselves

Open issues to resolve

  • All templates fetch the creator name. This is no longer able to be read.

    coder/coderd/templates.go

    Lines 682 to 692 in 04a2cae

    func getCreatedByNamesByTemplateIDs(ctx context.Context, db database.Store, templates []database.Template) (map[string]string, error) {
    creators := make(map[string]string, len(templates))
    for _, template := range templates {
    creator, err := db.GetUserByID(ctx, template.CreatedBy)
    if err != nil {
    return map[string]string{}, err
    }
    creators[template.ID.String()] = creator.Username
    }
    return creators, nil
    }

    • Solution: Both created_by and creator_username is now omitted if the user cannot view the creator. Meaning they can see templates created by themselves. Admins can still view all users.

  • User counts are still being read

    • Solution: Implement GetUsers with sql filter rather than filtering the returned list. Now all counts are counts of the readable users for any given caller.

  • Group members still return all users

  • If you grant a member admin on a template, they can see the permissions page. This page has a list of users/groups that can use/admin the template. Should this page show users they cannot read?

@Emyrk
chore: templates conditionally return created by
76e724c 
If omitted, the caller does not have permission to view said data
@Emyrk Emyrk changed the title chore: add owner to resourceUser rbac object feat: remove "view all users" from members Jul 12, 2023
@Emyrk Emyrk mentioned this pull request Jul 13, 2023
Merged
@kylecarbs
Copy link
Member

Solution: Both created_by and creator_username is now omitted if the user cannot view the creator. Meaning they can see templates created by themselves. Admins can still view all users

@Emyrk I think we should allow users to see who is creating and maintaining templates. It's a worse experience for the user to not see that... they'll have no action to take if something is broken.

@Emyrk
Copy link
Member Author

Emyrk commented Jul 14, 2023

@Emyrk I think we should allow users to see who is creating and maintaining templates. It's a worse experience for the user to not see that... they'll have no action to take if something is broken.

I paused this PR because there is a lot of cases like that. There is a call today about it and a thread in slack + a notion page.

Essentially this is trickier than anticipated, so I broke the functional components of this PR up into different PRs and will likely close this.

@Emyrk Emyrk closed this Jul 18, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Jul 18, 2023
@Emyrk Emyrk deleted the stevenmasley/no_read_user branch January 9, 2024 20:10
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make listing users and groups a privileged endpoint
2 participants
@Emyrk @kylecarbs