mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Cian Johnston
b5a625549e
The agents-access role previously granted chat permissions at user
scope, but chats are org-scoped objects. Rego skips user-level perms
when org_owner is set, making the grants invisible. Handler-level
band-aids used synthetic non-org-scoped objects as a workaround.
- Migrates agents-access from users.rbac_roles (site-level) to
organization_members.roles (org-scoped) via DB migration
- Redefines agents-access as a predefined org-scoped builtin role
alongside organization-admin, organization-auditor, etc., with
Member permissions granting chat create/read/update
- Excludes ResourceChat from OrgMemberPermissions so org membership
alone no longer grants chat access
- Fixes handler Authorize checks to use org-scoped objects with
semantically correct actions (ActionUpdate for message/tool operations)
- Grants org admins the ability to assign agents-access
Closes #24250
Fixes CODAGT-174
Note: this does not update the "Usage" endpoints. Tracked by CODAGT-161.
> 🤖
127 lines
3.1 KiB
JSON
127 lines
3.1 KiB
JSON
{
|
|
"viewAllUsers": {
|
|
"object": { "resource_type": "user" },
|
|
"action": "read"
|
|
},
|
|
"updateUsers": {
|
|
"object": { "resource_type": "user" },
|
|
"action": "update"
|
|
},
|
|
"createUser": {
|
|
"object": { "resource_type": "user" },
|
|
"action": "create"
|
|
},
|
|
"createTemplates": {
|
|
"object": { "resource_type": "template", "any_org": true },
|
|
"action": "create"
|
|
},
|
|
"updateTemplates": {
|
|
"object": { "resource_type": "template" },
|
|
"action": "update"
|
|
},
|
|
"deleteTemplates": {
|
|
"object": { "resource_type": "template" },
|
|
"action": "delete"
|
|
},
|
|
"viewDeploymentConfig": {
|
|
"object": { "resource_type": "deployment_config" },
|
|
"action": "read"
|
|
},
|
|
"editDeploymentConfig": {
|
|
"object": { "resource_type": "deployment_config" },
|
|
"action": "update"
|
|
},
|
|
"viewDeploymentStats": {
|
|
"object": { "resource_type": "deployment_stats" },
|
|
"action": "read"
|
|
},
|
|
"readWorkspaceProxies": {
|
|
"object": { "resource_type": "workspace_proxy" },
|
|
"action": "read"
|
|
},
|
|
"editWorkspaceProxies": {
|
|
"object": { "resource_type": "workspace_proxy" },
|
|
"action": "create"
|
|
},
|
|
"createOrganization": {
|
|
"object": { "resource_type": "organization" },
|
|
"action": "create"
|
|
},
|
|
"viewAnyGroup": {
|
|
"object": { "resource_type": "group" },
|
|
"action": "read"
|
|
},
|
|
"createGroup": {
|
|
"object": { "resource_type": "group" },
|
|
"action": "create"
|
|
},
|
|
"viewAllLicenses": {
|
|
"object": { "resource_type": "license" },
|
|
"action": "read"
|
|
},
|
|
"viewNotificationTemplate": {
|
|
"object": { "resource_type": "notification_template" },
|
|
"action": "read"
|
|
},
|
|
"viewOrganizationIDPSyncSettings": {
|
|
"object": { "resource_type": "idpsync_settings" },
|
|
"action": "read"
|
|
},
|
|
"viewAnyMembers": {
|
|
"object": { "resource_type": "organization_member", "any_org": true },
|
|
"action": "read"
|
|
},
|
|
"editAnyGroups": {
|
|
"object": { "resource_type": "group", "any_org": true },
|
|
"action": "update"
|
|
},
|
|
"assignAnyRoles": {
|
|
"object": { "resource_type": "assign_org_role", "any_org": true },
|
|
"action": "assign"
|
|
},
|
|
"viewAnyIdpSyncSettings": {
|
|
"object": { "resource_type": "idpsync_settings", "any_org": true },
|
|
"action": "read"
|
|
},
|
|
"editAnySettings": {
|
|
"object": { "resource_type": "organization", "any_org": true },
|
|
"action": "update"
|
|
},
|
|
"viewAnyAuditLog": {
|
|
"object": { "resource_type": "audit_log", "any_org": true },
|
|
"action": "read"
|
|
},
|
|
"viewAnyConnectionLog": {
|
|
"object": { "resource_type": "connection_log", "any_org": true },
|
|
"action": "read"
|
|
},
|
|
"viewDebugInfo": {
|
|
"object": { "resource_type": "debug_info" },
|
|
"action": "read"
|
|
},
|
|
"viewAnyAIBridgeInterception": {
|
|
"object": { "resource_type": "aibridge_interception", "any_org": true },
|
|
"action": "read"
|
|
},
|
|
"createOAuth2App": {
|
|
"object": { "resource_type": "oauth2_app" },
|
|
"action": "create"
|
|
},
|
|
"editOAuth2App": {
|
|
"object": { "resource_type": "oauth2_app" },
|
|
"action": "update"
|
|
},
|
|
"deleteOAuth2App": {
|
|
"object": { "resource_type": "oauth2_app" },
|
|
"action": "delete"
|
|
},
|
|
"viewOAuth2AppSecrets": {
|
|
"object": { "resource_type": "oauth2_app_secret" },
|
|
"action": "read"
|
|
},
|
|
"createChat": {
|
|
"object": { "resource_type": "chat", "any_org": true, "owner_id": "me" },
|
|
"action": "create"
|
|
}
|
|
}
|