chore: remove rbac psuedo resources, add custom verbs (#13276)

Removes our pseudo rbac resources like `WorkspaceApplicationConnect` in favor of additional verbs like `ssh`. This is to make more intuitive permissions for building custom roles. The source of truth is now `policy.go`
2025-07-15 22:20:27 +00:00 · 2024-05-15 11:09:42 -05:00
parent cb6b5e8fbd
commit 1f5788feff
48 changed files with 1809 additions and 1053 deletions
--- a/coderd/authorize.go
+++ b/coderd/authorize.go
@ -169,7 +169,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 		obj := rbac.Object{
 			Owner: v.Object.OwnerID,
 			OrgID: v.Object.OrganizationID,
-			Type:  v.Object.ResourceType.String(),
+			Type:  string(v.Object.ResourceType),
 		}
 		if obj.Owner == "me" {
 			obj.Owner = auth.ID
@ -189,13 +189,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			var dbObj rbac.Objecter
 			var dbErr error
 			// Only support referencing some resources by ID.
-			switch v.Object.ResourceType.String() {
-			case rbac.ResourceWorkspaceExecution.Type:
-				workSpace, err := api.Database.GetWorkspaceByID(ctx, id)
-				if err == nil {
-					dbObj = workSpace.ExecutionRBAC()
-				}
-				dbErr = err
+			switch string(v.Object.ResourceType) {
 			case rbac.ResourceWorkspace.Type:
 				dbObj, dbErr = api.Database.GetWorkspaceByID(ctx, id)
 			case rbac.ResourceTemplate.Type: