From 2b0dcec7ff21668ccd26286111be20fd509d3fb2 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Thu, 28 May 2026 17:19:42 +0000
Subject: [PATCH] fix(coderd/rbac): require org membership for user ACLs

---
 coderd/rbac/policy.rego | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
index e8844a22bd..5879a9e8b2 100644
--- a/coderd/rbac/policy.rego
+++ b/coderd/rbac/policy.rego
@@ -330,7 +330,7 @@ object_is_included_in_scope_allow_list if {
 
 # ACL for users
 acl_allow if {
-	# TODO: Should you have to be a member of the org too?
+	is_org_member
 	perms := input.object.acl_user_list[input.subject.id]
 
 	# Check if either the action or * is allowed