MCPcopy Index your code
hub / github.com/coder/coder / OrgMemberPermissions

Function OrgMemberPermissions

coderd/rbac/roles.go:1010–1095  ·  view source on GitHub ↗

OrgMemberPermissions returns the permissions for the organization-member system role, which can vary based on the organization's workspace sharing settings.

(org OrgSettings)

Source from the content-addressed store, hash-verified

1008// system role, which can vary based on the organization's workspace sharing
1009// settings.
1010func OrgMemberPermissions(org OrgSettings) OrgRolePermissions {
1011 // Organization-level permissions that all org members get.
1012 orgPermMap := map[string][]policy.Action{
1013 // All users can see provisioner daemons for workspace creation.
1014 ResourceProvisionerDaemon.Type: {policy.ActionRead},
1015 // All org members can read the organization.
1016 ResourceOrganization.Type: {policy.ActionRead},
1017 // Can read available roles.
1018 ResourceAssignOrgRole.Type: {policy.ActionRead},
1019 }
1020
1021 // In all modes of workspace sharing but `none`, members need to
1022 // see other org members (including service accounts) to either
1023 // share with them or get access to their shared workspaces,
1024 // resolved through GET /users/{user}/workspace/{workspace}
1025 if org.ShareableWorkspaceOwners != ShareableWorkspaceOwnersNone {
1026 orgPermMap[ResourceOrganizationMember.Type] = []policy.Action{policy.ActionRead}
1027 }
1028
1029 // When workspace sharing is open to members, they also need to
1030 // see org groups to share with them.
1031 if org.ShareableWorkspaceOwners == ShareableWorkspaceOwnersEveryone {
1032 orgPermMap[ResourceGroup.Type] = []policy.Action{policy.ActionRead}
1033 }
1034
1035 orgPerms := Permissions(orgPermMap)
1036
1037 if org.ShareableWorkspaceOwners == ShareableWorkspaceOwnersNone {
1038 // Org-level negation blocks sharing on ANY workspace in the
1039 // org. This overrides any positive permission from other
1040 // roles, including org-admin.
1041 orgPerms = append(orgPerms, Permission{
1042 Negate: true,
1043 ResourceType: ResourceWorkspace.Type,
1044 Action: policy.ActionShare,
1045 })
1046 }
1047
1048 // Uses allPermsExcept to automatically include permissions for new resources.
1049 memberPerms := append(
1050 allPermsExcept(
1051 ResourceWorkspaceDormant,
1052 ResourcePrebuiltWorkspace,
1053 ResourceUser,
1054 ResourceOrganizationMember,
1055 ResourceAibridgeInterception,
1056 // Chat access requires the agents-access role.
1057 ResourceChat,
1058 ),
1059
1060 Permissions(map[string][]policy.Action{
1061 // Reduced permission set on dormant workspaces. No build,
1062 // ssh, or exec.
1063 ResourceWorkspaceDormant.Type: {
1064 policy.ActionRead,
1065 policy.ActionDelete,
1066 policy.ActionCreate,
1067 policy.ActionUpdate,

Callers 3

TestRolePermissionsFunction · 0.92
TestReconcileSystemRolesFunction · 0.92
orgMemberRoleFunction · 0.85

Calls 2

PermissionsFunction · 0.85
allPermsExceptFunction · 0.85

Tested by 3

TestRolePermissionsFunction · 0.74
TestReconcileSystemRolesFunction · 0.74
orgMemberRoleFunction · 0.68