mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Cian Johnston
b5a625549e
The agents-access role previously granted chat permissions at user
scope, but chats are org-scoped objects. Rego skips user-level perms
when org_owner is set, making the grants invisible. Handler-level
band-aids used synthetic non-org-scoped objects as a workaround.
- Migrates agents-access from users.rbac_roles (site-level) to
organization_members.roles (org-scoped) via DB migration
- Redefines agents-access as a predefined org-scoped builtin role
alongside organization-admin, organization-auditor, etc., with
Member permissions granting chat create/read/update
- Excludes ResourceChat from OrgMemberPermissions so org membership
alone no longer grants chat access
- Fixes handler Authorize checks to use org-scoped objects with
semantically correct actions (ActionUpdate for message/tool operations)
- Grants org admins the ability to assign agents-access
Closes #24250
Fixes CODAGT-174
Note: this does not update the "Usage" endpoints. Tracked by CODAGT-161.
> 🤖
19 lines
705 B
SQL
19 lines
705 B
SQL
-- WARNING: this rollback is lossy. If an admin later revoked
|
|
-- agents-access from a specific org, rolling back will re-grant the
|
|
-- site-wide role (which covers ALL orgs) to any user who still holds
|
|
-- agents-access in at least one org.
|
|
|
|
-- Step 1: Move agents-access back to site-level for any user who has it in any org.
|
|
UPDATE users
|
|
SET rbac_roles = array_append(rbac_roles, 'agents-access')
|
|
WHERE id IN (
|
|
SELECT DISTINCT user_id FROM organization_members
|
|
WHERE 'agents-access' = ANY(roles)
|
|
)
|
|
AND NOT ('agents-access' = ANY(rbac_roles));
|
|
|
|
-- Step 2: Remove from org memberships.
|
|
UPDATE organization_members
|
|
SET roles = array_remove(roles, 'agents-access')
|
|
WHERE 'agents-access' = ANY(roles);
|