Skip to content

Commit 19fff6f

Browse files
jcchrjcchr
authored
enable importing projects for workspace contributors (#1434)
1 parent 63019e2 commit 19fff6f

File tree

1 file changed

+4
-4
lines changed
  • platform/services/opa_bundle/app/policies/default

1 file changed

+4
-4
lines changed

platform/services/opa_bundle/app/policies/default/policy.rego

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -564,20 +564,20 @@ allow if {
564564

565565
# * /api/<api_ver>/organizations/{organization_id}/workspaces/{workspace_id}/projects/uploads
566566
# * /api/<api_ver>/organizations/{organization_id}/workspaces/{workspace_id}/projects/uploads/*
567-
# Workspace project upload operations, user should be granted with "can_manage" workspace level permission
567+
# Workspace project upload operations, user should be granted with "can_contribute" workspace level permission
568568
allow if {
569569
["api", api_ver, "organizations", organization_id, "workspaces", workspace_id, "projects", "uploads"] = array.slice(parsed_path, 0, 8)
570570
is_valid_api_version(api_ver)
571571

572572
print("Policy: Import project operations", parsed_path)
573573
user_id := resolve_user_id(http_request.headers)
574574
check_relation(spicedb_address, spicedb_key, "workspace", workspace_id, "parent_organization", "organization", organization_id)
575-
check_authorization_allowing_pat(spicedb_key, "workspace", workspace_id, "can_manage", user_id)
575+
check_authorization_allowing_pat(spicedb_key, "workspace", workspace_id, "can_contribute", user_id)
576576
check_authorization_allowing_pat(spicedb_key, "organization", organization_id, "can_contribute", user_id)
577577
}
578578

579579
# * /api/<api_ver>/organizations/{organization_id}/workspaces/{workspace_id}/projects:import
580-
# Import project, user should be granted with "can_manage" workspace level permission
580+
# Import project, user should be granted with "can_contribute" workspace level permission
581581
allow if {
582582
http_request.method == "POST"
583583
["api", api_ver, "organizations", organization_id, "workspaces", workspace_id, "projects:import"] = array.slice(parsed_path, 0, 7)
@@ -586,7 +586,7 @@ allow if {
586586
print("Policy: Import project operations", parsed_path)
587587
check_relation(spicedb_address, spicedb_key, "workspace", workspace_id, "parent_organization", "organization", organization_id)
588588
user_id := resolve_user_id(http_request.headers)
589-
check_authorization_allowing_pat(spicedb_key, "workspace", workspace_id, "can_manage", user_id)
589+
check_authorization_allowing_pat(spicedb_key, "workspace", workspace_id, "can_contribute", user_id)
590590
check_authorization_allowing_pat(spicedb_key, "organization", organization_id, "can_contribute", user_id)
591591
}
592592

0 commit comments

Comments
 (0)