shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: refactor roles to support multiple permission sets scoped by org id (#20186)

Browse Source 
In preparation for adding the "member" permission level, which will also
be grouped by org ID, do a bit of a refactor to make room for it and the
existing "org" level to live in the same `map`
This commit is contained in:
ケイラ
2025-10-09 11:08:34 -06:00
committed by GitHub
parent 6213b30f10
commit caeff49aba
15 changed files with 235 additions and 204 deletions
Download Patch File Download Diff File Expand all files Collapse all files
coderd/workspaceapps/db.go
+2 -3
View File
@@ -355,21 +355,20 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
return true, []string{}, nil
}
case database.AppSharingLevelOrganization:
// Check if the user is a member of the same organization as the workspace
// First check if they have permission to connect to their own workspace (enforces scopes)
err := p.Authorizer.Authorize(ctx, *roles, rbacAction, rbacResourceOwned)
if err != nil {
return false, warnings, nil
}
// Check if the user is a member of the workspace's organization
// Check if the user is a member of the same organization as the workspace
workspaceOrgID := dbReq.Workspace.OrganizationID
expandedRoles, err := roles.Roles.Expand()
if err != nil {
return false, warnings, xerrors.Errorf("expand roles: %w", err)
}
for _, role := range expandedRoles {
if _, ok := role.Org[workspaceOrgID.String()]; ok {
if _, ok := role.ByOrgID[workspaceOrgID.String()]; ok {
return true, []string{}, nil
}
}