fix(coderd/rbac): require org membership for user ACLs

2026-06-02 20:48:20 +00:00 · 2026-05-28 17:19:42 +00:00
parent a043177c75
commit 2b0dcec7ff
1 changed files with 1 additions and 1 deletions
@@ -330,7 +330,7 @@ object_is_included_in_scope_allow_list if {

 # ACL for users
 acl_allow if {
-	# TODO: Should you have to be a member of the org too?
+	is_org_member
 	perms := input.object.acl_user_list[input.subject.id]

 	# Check if either the action or * is allowed