mirror of
https://github.com/coder/coder.git
synced 2026-06-05 05:58:20 +00:00
Steven Masley
eeadd81989
Introduce the organization-workspace-access role and split the member and service-account perms into a floor plus an elevation set. The elevation lives in the new OrgWorkspaceAccessMemberPerms helper and is mirrored onto the new role; both OrgMemberPermissions and OrgServiceAccountPermissions compose floor + elevation today, so this PR is behavior-preserving. A future PR will gate the elevation on the minimum-implicit-member experiment so a user without organization-workspace-access has only the floor. Org admins, owners, user admins, and the system role can assign the new role. The helper carries the same "Intentionally omitted at Member scope" rationale as the prior enumeration so that owner-less resources (e.g. ResourceTemplate, ResourceWorkspaceProxy) are not re-added by mistake. TestRolePermissions adds an org_workspace_access subject to requiredSubjects so the role's coverage is asserted in every test case. This catches accidental Org/Member swaps in the role wiring (e.g. attaching the perm set to Org instead of Member). The prebuilds membership reconciler now wraps its InsertOrganizationMember call with dbauthz.AsSystemRestricted instead of relying on the AsPrebuildsOrchestrator context. The prebuilds system user does not log in or act with its assigned roles; the membership row only exists so prebuilt workspaces have a valid owner. Routing the assignment check through the system actor keeps the call working when the experiment splits workspace ops off organization-member, and removes the dependency on prebuildsOrchestrator's assignable role map.