fix: allow group members to read group information (#14200)

* - allow group members to read basic Group info - allow group members to see they are part of the group, but not see that information about other members - add a GetGroupMembersCountByGroupID SQL query, which allows group members to see members count without revealing other information about the members - add the group_members_expanded db view - rewrite group member queries to use the group_members_expanded view - add the RBAC ResourceGroupMember and add it to relevant roles - rewrite GetGroupMembersByGroupID permission checks - make the GroupMember type contain all user fields - fix type issues coming from replacing User with GroupMember in group member queries - add the MemberTotalCount field to codersdk.Group - display `group.total_member_count` instead of `group.members.length` on the account page
2025-07-18 14:17:22 +00:00 · 2024-08-13 16:20:24 +02:00
parent 60218c4c78
commit 6f9b1a39f4
38 changed files with 734 additions and 315 deletions
--- a/coderd/database/modelmethods.go
+++ b/coderd/database/modelmethods.go
@ -12,6 +12,7 @@ import (

 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 )

 type WorkspaceStatus string
@ -75,18 +76,18 @@ func (m OrganizationMember) Auditable(username string) AuditableOrganizationMemb

 type AuditableGroup struct {
 	Group
-	Members []GroupMember `json:"members"`
+	Members []GroupMemberTable `json:"members"`
 }

 // Auditable returns an object that can be used in audit logs.
 // Covers both group and group member changes.
-func (g Group) Auditable(users []User) AuditableGroup {
-	members := make([]GroupMember, 0, len(users))
-	for _, u := range users {
-		members = append(members, GroupMember{
-			UserID:  u.ID,
-			GroupID: g.ID,
-		})
+func (g Group) Auditable(members []GroupMember) AuditableGroup {
+	membersTable := make([]GroupMemberTable, len(members))
+	for i, member := range members {
+		membersTable[i] = GroupMemberTable{
+			UserID:  member.UserID,
+			GroupID: member.GroupID,
+		}
 	}

 	// consistent ordering
@ -96,7 +97,7 @@ func (g Group) Auditable(users []User) AuditableGroup {

 	return AuditableGroup{
 		Group:   g,
-		Members: members,
+		Members: membersTable,
 	}
 }

@ -173,7 +174,17 @@ func (v TemplateVersion) RBACObjectNoTemplate() rbac.Object {

 func (g Group) RBACObject() rbac.Object {
 	return rbac.ResourceGroup.WithID(g.ID).
-		InOrg(g.OrganizationID)
+		InOrg(g.OrganizationID).
+		// Group members can read the group.
+		WithGroupACL(map[string][]policy.Action{
+			g.ID.String(): {
+				policy.ActionRead,
+			},
+		})
+}
+
+func (gm GroupMember) RBACObject() rbac.Object {
+	return rbac.ResourceGroupMember.WithID(gm.UserID).InOrg(gm.OrganizationID).WithOwner(gm.UserID.String())
 }

 func (w GetWorkspaceByAgentIDRow) RBACObject() rbac.Object {