Skip to content

Commit 98ae4a5

Browse files
jaaydenhaslilac
jaaydenh
authored and
aslilac
committed
fix: add org role read permissions to site wide template admins and auditors (#16733)
resolves coder/internal#388 Since site-wide admins and auditors are able to access the members page of any org, they should have read access to org roles
1 parent 324fbd7 commit 98ae4a5

File tree

2 files changed

+6
-4
lines changed

2 files changed

+6
-4
lines changed

coderd/rbac/roles.go

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -307,7 +307,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
307307
Identifier: RoleAuditor(),
308308
DisplayName: "Auditor",
309309
Site: Permissions(map[string][]policy.Action{
310-
ResourceAuditLog.Type: {policy.ActionRead},
310+
ResourceAssignOrgRole.Type: {policy.ActionRead},
311+
ResourceAuditLog.Type: {policy.ActionRead},
311312
// Allow auditors to see the resources that audit logs reflect.
312313
ResourceTemplate.Type: {policy.ActionRead, policy.ActionViewInsights},
313314
ResourceUser.Type: {policy.ActionRead},
@@ -327,7 +328,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
327328
Identifier: RoleTemplateAdmin(),
328329
DisplayName: "Template Admin",
329330
Site: Permissions(map[string][]policy.Action{
330-
ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
331+
ResourceAssignOrgRole.Type: {policy.ActionRead},
332+
ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
331333
// CRUD all files, even those they did not upload.
332334
ResourceFile.Type: {policy.ActionCreate, policy.ActionRead},
333335
ResourceWorkspace.Type: {policy.ActionRead},

coderd/rbac/roles_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -352,8 +352,8 @@ func TestRolePermissions(t *testing.T) {
352352
Actions: []policy.Action{policy.ActionRead},
353353
Resource: rbac.ResourceAssignOrgRole.InOrg(orgID),
354354
AuthorizeMap: map[bool][]hasAuthSubjects{
355-
true: {owner, setOrgNotMe, orgMemberMe, userAdmin},
356-
false: {setOtherOrg, memberMe, templateAdmin},
355+
true: {owner, setOrgNotMe, orgMemberMe, userAdmin, templateAdmin},
356+
false: {setOtherOrg, memberMe},
357357
},
358358
},
359359
{

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy