softwareengineer-imerjr
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 4 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 4 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/authorize.go
Lines changed: 4 additions & 3 deletions b/‎coderd/authorize.go
Lines changed: 4 additions & 3 deletions
diff --git a/‎coderd/rbac/astvalue.go
Lines changed: 4 additions & 0 deletions b/‎coderd/rbac/astvalue.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/rbac/authz.go
Lines changed: 8 additions & 1 deletion b/‎coderd/rbac/authz.go
Lines changed: 8 additions & 1 deletion
diff --git a/‎coderd/rbac/authz_internal_test.go
Lines changed: 38 additions & 7 deletions b/‎coderd/rbac/authz_internal_test.go
Lines changed: 38 additions & 7 deletions
diff --git a/‎coderd/rbac/authz_test.go
Lines changed: 1 addition & 1 deletion b/‎coderd/rbac/authz_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/rbac/object.go
Lines changed: 27 additions & 0 deletions b/‎coderd/rbac/object.go
Lines changed: 27 additions & 0 deletions
diff --git a/‎coderd/rbac/policy.rego
Lines changed: 55 additions & 2 deletions b/‎coderd/rbac/policy.rego
Lines changed: 55 additions & 2 deletions
diff --git a/‎coderd/rbac/roles_test.go
Lines changed: 40 additions & 0 deletions b/‎coderd/rbac/roles_test.go
Lines changed: 40 additions & 0 deletions
diff --git a/‎codersdk/authorization.go
Lines changed: 3 additions & 0 deletions b/‎codersdk/authorization.go
Lines changed: 3 additions & 0 deletions
@@ -167,9 +167,10 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 		}
 
 		obj := rbac.Object{
-			Owner: v.Object.OwnerID,
-			OrgID: v.Object.OrganizationID,
-			Type:  string(v.Object.ResourceType),
+			Owner:       v.Object.OwnerID,
+			OrgID:       v.Object.OrganizationID,
+			Type:        string(v.Object.ResourceType),
+			AnyOrgOwner: v.Object.AnyOrgOwner,
 		}
 		if obj.Owner == "me" {
 			obj.Owner = auth.ID
 
@@ -124,6 +124,10 @@ func (z Object) regoValue() ast.Value {
 			ast.StringTerm("org_owner"),
 			ast.StringTerm(z.OrgID),
 		},
+		[2]*ast.Term{
+			ast.StringTerm("any_org"),
+			ast.BooleanTerm(z.AnyOrgOwner),
+		},
 		[2]*ast.Term{
 			ast.StringTerm("type"),
 			ast.StringTerm(z.Type),
 
@@ -181,7 +181,7 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, a
 		for _, o := range objects {
 			rbacObj := o.RBACObject()
 			if rbacObj.Type != objectType {
-				return nil, xerrors.Errorf("object types must be uniform across the set (%s), found %s", objectType, rbacObj)
+				return nil, xerrors.Errorf("object types must be uniform across the set (%s), found %s", objectType, rbacObj.Type)
 			}
 			err := auth.Authorize(ctx, subject, action, o.RBACObject())
 			if err == nil {
@@ -387,6 +387,13 @@ func (a RegoAuthorizer) authorize(ctx context.Context, subject Subject, action p
 		return xerrors.Errorf("subject must have a scope")
 	}
 
+	// The caller should use either 1 or the other (or none).
+	// Using "AnyOrgOwner" and an OrgID is a contradiction.
+	// An empty uuid or a nil uuid means "no org owner".
+	if object.AnyOrgOwner && !(object.OrgID == "" || object.OrgID == "00000000-0000-0000-0000-000000000000") {
+		return xerrors.Errorf("object cannot have 'any_org' and an 'org_id' specified, values are mutually exclusive")
+	}
+
 	astV, err := regoInputValue(subject, action, object)
 	if err != nil {
 		return xerrors.Errorf("convert input to value: %w", err)
 
@@ -291,6 +291,22 @@ func TestAuthorizeDomain(t *testing.T) {
 	unuseID := uuid.New()
 	allUsersGroup := "Everyone"
 
+	// orphanedUser has no organization
+	orphanedUser := Subject{
+		ID:     "me",
+		Scope:  must(ExpandScope(ScopeAll)),
+		Groups: []string{},
+		Roles: Roles{
+			must(RoleByName(RoleMember())),
+		},
+	}
+	testAuthorize(t, "OrphanedUser", orphanedUser, []authTestCase{
+		{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(orphanedUser.ID), actions: ResourceWorkspace.AvailableActions(), allow: false},
+
+		// Orphaned user cannot create workspaces in any organization
+		{resource: ResourceWorkspace.AnyOrganization().WithOwner(orphanedUser.ID), actions: []policy.Action{policy.ActionCreate}, allow: false},
+	})
+
 	user := Subject{
 		ID:     "me",
 		Scope:  must(ExpandScope(ScopeAll)),
@@ -370,6 +386,10 @@ func TestAuthorizeDomain(t *testing.T) {
 		{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), actions: ResourceWorkspace.AvailableActions(), allow: true},
 		{resource: ResourceWorkspace.InOrg(defOrg), actions: ResourceWorkspace.AvailableActions(), allow: false},
 
+		// AnyOrganization using a user scoped permission
+		{resource: ResourceWorkspace.AnyOrganization().WithOwner(user.ID), actions: ResourceWorkspace.AvailableActions(), allow: true},
+		{resource: ResourceTemplate.AnyOrganization(), actions: []policy.Action{policy.ActionCreate}, allow: false},
+
 		{resource: ResourceWorkspace.WithOwner(user.ID), actions: ResourceWorkspace.AvailableActions(), allow: true},
 
 		{resource: ResourceWorkspace.All(), actions: ResourceWorkspace.AvailableActions(), allow: false},
@@ -443,6 +463,8 @@ func TestAuthorizeDomain(t *testing.T) {
 	workspaceExceptConnect := slice.Omit(ResourceWorkspace.AvailableActions(), policy.ActionApplicationConnect, policy.ActionSSH)
 	workspaceConnect := []policy.Action{policy.ActionApplicationConnect, policy.ActionSSH}
 	testAuthorize(t, "OrgAdmin", user, []authTestCase{
+		{resource: ResourceTemplate.AnyOrganization(), actions: []policy.Action{policy.ActionCreate}, allow: true},
+
 		// Org + me
 		{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), actions: ResourceWorkspace.AvailableActions(), allow: true},
 		{resource: ResourceWorkspace.InOrg(defOrg), actions: workspaceExceptConnect, allow: true},
@@ -479,6 +501,9 @@ func TestAuthorizeDomain(t *testing.T) {
 	}
 
 	testAuthorize(t, "SiteAdmin", user, []authTestCase{
+		// Similar to an orphaned user, but has site level perms
+		{resource: ResourceTemplate.AnyOrganization(), actions: []policy.Action{policy.ActionCreate}, allow: true},
+
 		// Org + me
 		{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), actions: ResourceWorkspace.AvailableActions(), allow: true},
 		{resource: ResourceWorkspace.InOrg(defOrg), actions: ResourceWorkspace.AvailableActions(), allow: true},
@@ -1078,9 +1103,10 @@ func testAuthorize(t *testing.T, name string, subject Subject, sets ...[]authTes
 					t.Logf("input: %s", string(d))
 					if authError != nil {
 						var uerr *UnauthorizedError
-						xerrors.As(authError, &uerr)
-						t.Logf("internal error: %+v", uerr.Internal().Error())
-						t.Logf("output: %+v", uerr.Output())
+						if xerrors.As(authError, &uerr) {
+							t.Logf("internal error: %+v", uerr.Internal().Error())
+							t.Logf("output: %+v", uerr.Output())
+						}
 					}
 
 					if c.allow {
@@ -1115,10 +1141,15 @@ func testAuthorize(t *testing.T, name string, subject Subject, sets ...[]authTes
 					require.Equal(t, 0, len(partialAuthz.partialQueries.Support), "expected 0 support rules in scope authorizer")
 
 					partialErr := partialAuthz.Authorize(ctx, c.resource)
-					if authError != nil {
-						assert.Error(t, partialErr, "partial allowed invalid request  (false positive)")
-					} else {
-						assert.NoError(t, partialErr, "partial error blocked valid request (false negative)")
+					// If 'AnyOrgOwner' is true, a partial eval does not make sense.
+					// Run the partial eval to ensure no panics, but the actual authz
+					// response does not matter.
+					if !c.resource.AnyOrgOwner {
+						if authError != nil {
+							assert.Error(t, partialErr, "partial allowed invalid request  (false positive)")
+						} else {
+							assert.NoError(t, partialErr, "partial error blocked valid request (false negative)")
+						}
 					}
 				}
 			})
 
@@ -314,7 +314,7 @@ func BenchmarkCacher(b *testing.B) {
 	}
 }
 
-func TestCacher(t *testing.T) {
+func TestCache(t *testing.T) {
 	t.Parallel()
 
 	t.Run("NoCache", func(t *testing.T) {
 
@@ -23,6 +23,12 @@ type Object struct {
 	Owner string `json:"owner"`
 	// OrgID specifies which org the object is a part of.
 	OrgID string `json:"org_owner"`
+	// AnyOrgOwner will disregard the org_owner when checking for permissions
+	// Use this to ask, "Can the actor do this action on any org?" when
+	// the exact organization is not important or known.
+	// E.g: The UI should show a "create template" button if the user
+	// can create a template in any org.
+	AnyOrgOwner bool `json:"any_org"`
 
 	// Type is "workspace", "project", "app", etc
 	Type string `json:"type"`
@@ -115,6 +121,7 @@ func (z Object) All() Object {
 		Type:         z.Type,
 		ACLUserList:  map[string][]policy.Action{},
 		ACLGroupList: map[string][]policy.Action{},
+		AnyOrgOwner:  z.AnyOrgOwner,
 	}
 }
 
@@ -126,6 +133,7 @@ func (z Object) WithIDString(id string) Object {
 		Type:         z.Type,
 		ACLUserList:  z.ACLUserList,
 		ACLGroupList: z.ACLGroupList,
+		AnyOrgOwner:  z.AnyOrgOwner,
 	}
 }
 
@@ -137,6 +145,7 @@ func (z Object) WithID(id uuid.UUID) Object {
 		Type:         z.Type,
 		ACLUserList:  z.ACLUserList,
 		ACLGroupList: z.ACLGroupList,
+		AnyOrgOwner:  z.AnyOrgOwner,
 	}
 }
 
@@ -149,6 +158,21 @@ func (z Object) InOrg(orgID uuid.UUID) Object {
 		Type:         z.Type,
 		ACLUserList:  z.ACLUserList,
 		ACLGroupList: z.ACLGroupList,
+		// InOrg implies AnyOrgOwner is false
+		AnyOrgOwner: false,
+	}
+}
+
+func (z Object) AnyOrganization() Object {
+	return Object{
+		ID:    z.ID,
+		Owner: z.Owner,
+		// AnyOrgOwner cannot have an org owner also set.
+		OrgID:        "",
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
+		AnyOrgOwner:  true,
 	}
 }
 
@@ -161,6 +185,7 @@ func (z Object) WithOwner(ownerID string) Object {
 		Type:         z.Type,
 		ACLUserList:  z.ACLUserList,
 		ACLGroupList: z.ACLGroupList,
+		AnyOrgOwner:  z.AnyOrgOwner,
 	}
 }
 
@@ -173,6 +198,7 @@ func (z Object) WithACLUserList(acl map[string][]policy.Action) Object {
 		Type:         z.Type,
 		ACLUserList:  acl,
 		ACLGroupList: z.ACLGroupList,
+		AnyOrgOwner:  z.AnyOrgOwner,
 	}
 }
 
@@ -184,5 +210,6 @@ func (z Object) WithGroupACL(groups map[string][]policy.Action) Object {
 		Type:         z.Type,
 		ACLUserList:  z.ACLUserList,
 		ACLGroupList: groups,
+		AnyOrgOwner:  z.AnyOrgOwner,
 	}
 }
@@ -92,8 +92,18 @@ org := org_allow(input.subject.roles)
 default scope_org := 0
 scope_org := org_allow([input.scope])
 
-org_allow(roles) := num {
-	allow := { id: num |
+# org_allow_set is a helper function that iterates over all orgs that the actor
+# is a member of. For each organization it sets the numerical allow value
+# for the given object + action if the object is in the organization.
+# The resulting value is a map that looks something like:
+# {"10d03e62-7703-4df5-a358-4f76577d4e2f": 1, "5750d635-82e0-4681-bd44-815b18669d65": 1}
+# The caller can use this output[<object.org_owner>] to get the final allow value.
+#
+# The reason we calculate this for all orgs, and not just the input.object.org_owner
+# is that sometimes the input.object.org_owner is unknown. In those cases
+# we have a list of org_ids that can we use in a SQL 'WHERE' clause.
+org_allow_set(roles) := allow_set {
+	allow_set := { id: num |
 		id := org_members[_]
 		set := { x |
 			perm := roles[_].org[id][_]
@@ -103,6 +113,13 @@ org_allow(roles) := num {
 		}
 		num := number(set)
 	}
+}
+
+org_allow(roles) := num {
+	# If the object has "any_org" set to true, then use the other
+	# org_allow block.
+	not input.object.any_org
+	allow := org_allow_set(roles)
 
 	# Return only the org value of the input's org.
 	# The reason why we do not do this up front, is that we need to make sure
@@ -112,12 +129,47 @@ org_allow(roles) := num {
 	num := allow[input.object.org_owner]
 }
 
+# This block states if "object.any_org" is set to true, then disregard the
+# organization id the object is associated with. Instead, we check if the user
+# can do the action on any organization.
+# This is useful for UI elements when we want to conclude, "Can the user create
+# a new template in any organization?"
+# It is easier than iterating over every organization the user is apart of.
+org_allow(roles) := num {
+	input.object.any_org # if this is false, this code block is not used
+	allow := org_allow_set(roles)
+
+
+	# allow is a map of {"<org_id>": <number>}. We only care about values
+	# that are 1, and ignore the rest.
+	num := number([
+		keep |
+		  # for every value in the mapping
+		  value := allow[_]
+		  # only keep values > 0.
+		  # 1 = allow, 0 = abstain, -1 = deny
+		  # We only need 1 explicit allow to allow the action.
+		  # deny's and abstains are intentionally ignored.
+		  value > 0
+		  # result set is a set of [true,false,...]
+		  # which "number()" will convert to a number.
+		  keep := true
+	])
+}
+
 # 'org_mem' is set to true if the user is an org member
+# If 'any_org' is set to true, use the other block to determine org membership.
 org_mem := true {
+	not input.object.any_org
 	input.object.org_owner != ""
 	input.object.org_owner in org_members
 }
 
+org_mem := true {
+	input.object.any_org
+	count(org_members) > 0
+}
+
 org_ok {
 	org_mem
 }
@@ -126,6 +178,7 @@ org_ok {
 # the non-existent org.
 org_ok {
 	input.object.org_owner == ""
+	not input.object.any_org
 }
 
 # User is the same as the site, except it only applies if the user owns the object and
 
@@ -590,6 +590,46 @@ func TestRolePermissions(t *testing.T) {
 				false: {},
 			},
 		},
+		// AnyOrganization tests
+		{
+			Name:     "CreateOrgMember",
+			Actions:  []policy.Action{policy.ActionCreate},
+			Resource: rbac.ResourceOrganizationMember.AnyOrganization(),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {owner, userAdmin, orgAdmin, otherOrgAdmin, orgUserAdmin, otherOrgUserAdmin},
+				false: {
+					memberMe, templateAdmin,
+					orgTemplateAdmin, orgMemberMe, orgAuditor,
+					otherOrgMember, otherOrgAuditor, otherOrgTemplateAdmin,
+				},
+			},
+		},
+		{
+			Name:     "CreateTemplateAnyOrg",
+			Actions:  []policy.Action{policy.ActionCreate},
+			Resource: rbac.ResourceTemplate.AnyOrganization(),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {owner, templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin, orgAdmin, otherOrgAdmin},
+				false: {
+					userAdmin, memberMe,
+					orgMemberMe, orgAuditor, orgUserAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin,
+				},
+			},
+		},
+		{
+			Name:     "CreateWorkspaceAnyOrg",
+			Actions:  []policy.Action{policy.ActionCreate},
+			Resource: rbac.ResourceWorkspace.AnyOrganization().WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {owner, orgAdmin, otherOrgAdmin, orgMemberMe},
+				false: {
+					memberMe, userAdmin, templateAdmin,
+					orgAuditor, orgUserAdmin, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
+				},
+			},
+		},
 	}
 
 	// We expect every permission to be tested above.
 
@@ -54,6 +54,9 @@ type AuthorizationObject struct {
 	// are using this option, you should also set the owner ID and organization ID
 	// if possible. Be as specific as possible using all the fields relevant.
 	ResourceID string `json:"resource_id,omitempty"`
+	// AnyOrgOwner (optional) will disregard the org_owner when checking for permissions.
+	// This cannot be set to true if the OrganizationID is set.
+	AnyOrgOwner bool `json:"any_org,omitempty"`
 }
 
 // AuthCheck allows the authenticated user to check if they have the given permissions
Original file line number	Diff line number	Diff line change
`@@ -167,9 +167,10 @@ func (api API) checkAuthorization(rw http.ResponseWriter, r http.Request) {`
`167`	`167`	`}`
`168`	`168`
`169`	`169`	`obj := rbac.Object{`
`170`		`- Owner: v.Object.OwnerID,`
`171`		`- OrgID: v.Object.OrganizationID,`
`172`		`- Type: string(v.Object.ResourceType),`
	`170`	`+ Owner: v.Object.OwnerID,`
	`171`	`+ OrgID: v.Object.OrganizationID,`
	`172`	`+ Type: string(v.Object.ResourceType),`
	`173`	`+ AnyOrgOwner: v.Object.AnyOrgOwner,`
`173`	`174`	`}`
`174`	`175`	`if obj.Owner == "me" {`
`175`	`176`	`obj.Owner = auth.ID`
Original file line number	Diff line number	Diff line change
`@@ -314,7 +314,7 @@ func BenchmarkCacher(b *testing.B) {`
`314`	`314`	`}`
`315`	`315`	`}`
`316`	`316`
`317`		`-func TestCacher(t *testing.T) {`
	`317`	`+func TestCache(t *testing.T) {`
`318`	`318`	`t.Parallel()`
`319`	`319`
`320`	`320`	`t.Run("NoCache", func(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,12 @@ type Object struct {`
`23`	`23`	Owner string `json:"owner"`
`24`	`24`	`// OrgID specifies which org the object is a part of.`
`25`	`25`	OrgID string `json:"org_owner"`
	`26`	`+ // AnyOrgOwner will disregard the org_owner when checking for permissions`
	`27`	`+ // Use this to ask, "Can the actor do this action on any org?" when`
	`28`	`+ // the exact organization is not important or known.`
	`29`	`+ // E.g: The UI should show a "create template" button if the user`
	`30`	`+ // can create a template in any org.`
	`31`	+ AnyOrgOwner bool `json:"any_org"`
`26`	`32`
`27`	`33`	`// Type is "workspace", "project", "app", etc`
`28`	`34`	Type string `json:"type"`
`@@ -115,6 +121,7 @@ func (z Object) All() Object {`
`115`	`121`	`Type: z.Type,`
`116`	`122`	`ACLUserList: map[string][]policy.Action{},`
`117`	`123`	`ACLGroupList: map[string][]policy.Action{},`
	`124`	`+ AnyOrgOwner: z.AnyOrgOwner,`
`118`	`125`	`}`
`119`	`126`	`}`
`120`	`127`
`@@ -126,6 +133,7 @@ func (z Object) WithIDString(id string) Object {`
`126`	`133`	`Type: z.Type,`
`127`	`134`	`ACLUserList: z.ACLUserList,`
`128`	`135`	`ACLGroupList: z.ACLGroupList,`
	`136`	`+ AnyOrgOwner: z.AnyOrgOwner,`
`129`	`137`	`}`
`130`	`138`	`}`
`131`	`139`
`@@ -137,6 +145,7 @@ func (z Object) WithID(id uuid.UUID) Object {`
`137`	`145`	`Type: z.Type,`
`138`	`146`	`ACLUserList: z.ACLUserList,`
`139`	`147`	`ACLGroupList: z.ACLGroupList,`
	`148`	`+ AnyOrgOwner: z.AnyOrgOwner,`
`140`	`149`	`}`
`141`	`150`	`}`
`142`	`151`
`@@ -149,6 +158,21 @@ func (z Object) InOrg(orgID uuid.UUID) Object {`
`149`	`158`	`Type: z.Type,`
`150`	`159`	`ACLUserList: z.ACLUserList,`
`151`	`160`	`ACLGroupList: z.ACLGroupList,`
	`161`	`+ // InOrg implies AnyOrgOwner is false`
	`162`	`+ AnyOrgOwner: false,`
	`163`	`+ }`
	`164`	`+}`
	`165`	`+`
	`166`	`+func (z Object) AnyOrganization() Object {`
	`167`	`+ return Object{`
	`168`	`+ ID: z.ID,`
	`169`	`+ Owner: z.Owner,`
	`170`	`+ // AnyOrgOwner cannot have an org owner also set.`
	`171`	`+ OrgID: "",`
	`172`	`+ Type: z.Type,`
	`173`	`+ ACLUserList: z.ACLUserList,`
	`174`	`+ ACLGroupList: z.ACLGroupList,`
	`175`	`+ AnyOrgOwner: true,`
`152`	`176`	`}`
`153`	`177`	`}`
`154`	`178`
`@@ -161,6 +185,7 @@ func (z Object) WithOwner(ownerID string) Object {`
`161`	`185`	`Type: z.Type,`
`162`	`186`	`ACLUserList: z.ACLUserList,`
`163`	`187`	`ACLGroupList: z.ACLGroupList,`
	`188`	`+ AnyOrgOwner: z.AnyOrgOwner,`
`164`	`189`	`}`
`165`	`190`	`}`
`166`	`191`
`@@ -173,6 +198,7 @@ func (z Object) WithACLUserList(acl map[string][]policy.Action) Object {`
`173`	`198`	`Type: z.Type,`
`174`	`199`	`ACLUserList: acl,`
`175`	`200`	`ACLGroupList: z.ACLGroupList,`
	`201`	`+ AnyOrgOwner: z.AnyOrgOwner,`
`176`	`202`	`}`
`177`	`203`	`}`
`178`	`204`
`@@ -184,5 +210,6 @@ func (z Object) WithGroupACL(groups map[string][]policy.Action) Object {`
`184`	`210`	`Type: z.Type,`
`185`	`211`	`ACLUserList: z.ACLUserList,`
`186`	`212`	`ACLGroupList: groups,`
	`213`	`+ AnyOrgOwner: z.AnyOrgOwner,`
`187`	`214`	`}`
`188`	`215`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ type AuthorizationObject struct {`
`54`	`54`	`// are using this option, you should also set the owner ID and organization ID`
`55`	`55`	`// if possible. Be as specific as possible using all the fields relevant.`
`56`	`56`	ResourceID string `json:"resource_id,omitempty"`
	`57`	`+ // AnyOrgOwner (optional) will disregard the org_owner when checking for permissions.`
	`58`	`+ // This cannot be set to true if the OrganizationID is set.`
	`59`	+ AnyOrgOwner bool `json:"any_org,omitempty"`
`57`	`60`	`}`
`58`	`61`
`59`	`62`	`// AuthCheck allows the authenticated user to check if they have the given permissions`