fix: RBAC should default deny missing variables. (#5105)

* fix: RBAC should default deny missing variables. The default behavior was to use 'true' for missing variables. This was an incorrect assumption. If the variable is missing, the new default is to deny (fail secure). * Assert 1 workspace is returned for the owners
2025-07-03 16:13:58 +00:00 · 2022-11-16 11:01:09 -06:00
parent 1fcc7caf99
commit 015a6f9e26
3 changed files with 11 additions and 5 deletions
--- a/coderd/rbac/query.go
+++ b/coderd/rbac/query.go
@ -470,7 +470,7 @@ func (t opInternalMember2) SQLString(cfg SQLConfig) string {
 		}

 		if sqlType == VarTypeSkip {
-			return "true"
+			return "false"
 		}
 	}

--- a/coderd/rbac/query_internal_test.go
+++ b/coderd/rbac/query_internal_test.go
@ -84,7 +84,7 @@ func TestCompileQuery(t *testing.T) {
 			`"*" in input.object.acl_group_list["4d30d4a8-b87d-45ac-b0d4-51b2e68e7e75"]`,
 		))
 		require.NoError(t, err, "compile")
-		require.Equal(t, `true`,
+		require.Equal(t, `false`,
 			expression.SQLString(NoACLConfig()), "literal dereference")
 	})
 }