feat: Rbac more coderd endpoints, unit test to confirm (#1437)

* feat: Enforce authorize call on all endpoints - Make 'request()' exported for running custom requests * Rbac users endpoints * 401 -> 403
2025-07-13 21:36:50 +00:00 · 2022-05-17 13:43:19 -05:00
parent 495c87b6c3
commit 4ad5ac2d4a
40 changed files with 631 additions and 319 deletions
--- a/coderd/rbac/builtin.go
+++ b/coderd/rbac/builtin.go
@ -64,6 +64,10 @@ var (
 			return Role{
 				Name:        member,
 				DisplayName: "Member",
+				Site: permissions(map[Object][]Action{
+					// All users can read all other users and know they exist.
+					ResourceUser: {ActionRead},
+				}),
 				User: permissions(map[Object][]Action{
 					ResourceWildcard: {WildcardSymbol},
 				}),
@ -111,7 +115,20 @@ var (
 				Name:        roleName(orgMember, organizationID),
 				DisplayName: "Organization Member",
 				Org: map[string][]Permission{
-					organizationID: {},
+					organizationID: {
+						{
+							// All org members can read the other members in their org.
+							ResourceType: ResourceOrganizationMember.Type,
+							Action:       ActionRead,
+							ResourceID:   "*",
+						},
+						{
+							// All org members can read the organization
+							ResourceType: ResourceOrganization.Type,
+							Action:       ActionRead,
+							ResourceID:   "*",
+						},
+					},
 				},
 			}
 		},