mirror of
https://github.com/coder/coder.git
synced 2026-06-06 06:28:20 +00:00
Steven Masley
bec2115e75
<!-- Authored by Coder Agents on behalf of @Emyrk. --> Refs [PLAT-217](https://linear.app/codercom/issue/PLAT-217/rfc-for-gateway-accounts). Extracts an `organization-workspace-access` role so workspace elevation can be split off the organization-member floor without changing behavior. - New role holds the workspace-side resources currently granted by `organization-member`. - The `MinimumImplicitMember` floor preserves the existing behavior until #26027 shrinks it. - Prebuilds orchestrator inserts memberships via `dbauthz.AsSystemRestricted` and no longer needs `OrganizationMember` or `AssignOrgRole` grants. <details><summary>Agent context</summary> - `coderd/rbac/roles.go`: `OrgWorkspaceAccessMemberPerms()` grants `Workspace`, `WorkspaceDormant`, `File` (Create+Read), `ProvisionerDaemon` (Create+Read), and `Task`. Deliberate omissions (`Template`, `Group`, `WorkspaceProxy`, etc.) are documented inline. - `coderd/rbac/roles_test.go`: `orgWorkspaceAccessUser` is added to `requiredSubjects`. `UserProvisionerDaemons` is split into `UserProvisionerDaemonsCreate` and `UserProvisionerDaemonsUpdateDelete` because the new role grants Create+Read only and the test framework requires uniform pass/fail per case. - `codersdk/rbacroles.go`: exposes `RoleOrganizationWorkspaceAccess`. - `enterprise/coderd/prebuilds/membership.go`: `InsertOrganizationMember` runs under `dbauthz.AsSystemRestricted`. The orchestrator never acts with the elevation role; the membership row only exists so prebuilt workspaces have a valid owner. - `coderd/database/dbauthz/dbauthz.go`: drops the now-dead `OrganizationMember` and `AssignOrgRole` permissions from the prebuilds-orchestrator role and the orchestrator's entry in `assignRoles`. </details> --- <sub>Coder Agents on behalf of @Emyrk.</sub>