feat: remove site wide perms from creating a workspace (#17296)

Creating a workspace required `read` on site wide `user`. Only organization permissions should be required.
2025-07-03 16:13:58 +00:00 · 2025-04-09 14:35:43 -05:00
parent a03a54dd14
commit 0b58798a1a
8 changed files with 392 additions and 135 deletions
--- a/coderd/rbac/object.go
+++ b/coderd/rbac/object.go
@ -1,10 +1,14 @@
 package rbac

 import (
+	"fmt"
+	"strings"
+
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"

 	"github.com/coder/coder/v2/coderd/rbac/policy"
+	cstrings "github.com/coder/coder/v2/coderd/util/strings"
 )

 // ResourceUserObject is a helper function to create a user object for authz checks.
@ -37,6 +41,25 @@ type Object struct {
 	ACLGroupList map[string][]policy.Action ` json:"acl_group_list"`
 }

+// String is not perfect, but decent enough for human display
+func (z Object) String() string {
+	var parts []string
+	if z.OrgID != "" {
+		parts = append(parts, fmt.Sprintf("org:%s", cstrings.Truncate(z.OrgID, 4)))
+	}
+	if z.Owner != "" {
+		parts = append(parts, fmt.Sprintf("owner:%s", cstrings.Truncate(z.Owner, 4)))
+	}
+	parts = append(parts, z.Type)
+	if z.ID != "" {
+		parts = append(parts, fmt.Sprintf("id:%s", cstrings.Truncate(z.ID, 4)))
+	}
+	if len(z.ACLGroupList) > 0 || len(z.ACLUserList) > 0 {
+		parts = append(parts, fmt.Sprintf("acl:%d", len(z.ACLUserList)+len(z.ACLGroupList)))
+	}
+	return strings.Join(parts, ".")
+}
+
 // ValidAction checks if the action is valid for the given object type.
 func (z Object) ValidAction(action policy.Action) error {
 	perms, ok := policy.RBACPermissions[z.Type]