Skip to content

Commit 0a2046c

Browse files
jiparisjiparis
authored
chore(rbac): Allow OrgViewers to see organization memberships (#2280)
Signed-off-by: Jose I. Paris <[email protected]>
1 parent 2fd8e96 commit 0a2046c

File tree

2 files changed

+18
-3
lines changed

2 files changed

+18
-3
lines changed

app/controlplane/internal/service/group.go

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -236,8 +236,14 @@ func (g *GroupService) ListMembers(ctx context.Context, req *pb.GroupServiceList
236236
return nil, err
237237
}
238238

239-
if err := g.userHasPermissionToListGroupMember(ctx, currentOrg.ID, req.GetGroupReference()); err != nil {
240-
return nil, err
239+
orgRole := usercontext.CurrentAuthzSubject(ctx)
240+
241+
// Viewers can see group memberships
242+
// TODO: replace this with enforcer check once group_memberships and memberships are merged
243+
if authz.Role(orgRole) != authz.RoleViewer {
244+
if err := g.userHasPermissionToListGroupMember(ctx, currentOrg.ID, req.GetGroupReference()); err != nil {
245+
return nil, err
246+
}
241247
}
242248

243249
currentUser, err := requireCurrentUser(ctx)

app/controlplane/pkg/authz/authz.go

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -158,8 +158,10 @@ var (
158158
PolicyWorkflowDelete = &Policy{ResourceWorkflow, ActionDelete}
159159
// Projects
160160
PolicyProjectCreate = &Policy{ResourceProject, ActionCreate}
161+
161162
// User Membership
162-
PolicyOrganizationRead = &Policy{Organization, ActionRead}
163+
PolicyOrganizationRead = &Policy{Organization, ActionRead}
164+
PolicyOrganizationListMemberships = &Policy{OrganizationMemberships, ActionList}
163165

164166
// Group Memberships
165167
PolicyGroupListPendingInvitations = &Policy{ResourceGroup, ActionList}
@@ -215,6 +217,9 @@ var RolesMap = map[Role][]*Policy{
215217
PolicyWorkflowRead,
216218
// Organization
217219
PolicyOrganizationRead,
220+
221+
// List organization memberships
222+
PolicyOrganizationListMemberships,
218223
},
219224
// RoleAdmin is an org-scoped role that provides super admin privileges (it's the higher role)
220225
RoleAdmin: {
@@ -385,6 +390,10 @@ var ServerOperationsMap = map[string][]*Policy{
385390
// since all the permissions here are in the context of an organization
386391
// Create new organization
387392
"/controlplane.v1.OrganizationService/Create": {},
393+
394+
// List global memberships
395+
"/controlplane.v1.OrganizationService/ListMemberships": {PolicyOrganizationListMemberships},
396+
388397
// NOTE: this is about listing my own memberships, not about listing all the memberships in the organization
389398
"/controlplane.v1.UserService/ListMemberships": {},
390399
// Set the current organization for the current user

0 commit comments

Comments
 (0)