feat: Option to remove WorkspaceExec from owner role (#7050)

* chore: Add AllResources option for listing all RBAC objects * Owners cannot do workspace exec site wide * Fix FE authchecks to valid RBAC resources
2025-07-03 16:13:58 +00:00 · 2023-04-11 08:57:23 -05:00
parent ad2353c3d8
commit 9d39371ee0
28 changed files with 700 additions and 169 deletions
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@ -6290,7 +6290,11 @@ const docTemplate = `{
                },
                "resource_type": {
                    "description": "ResourceType is the name of the resource.\n` + "`" + `./coderd/rbac/object.go` + "`" + ` has the list of valid resource types.",
-                    "type": "string"
+                    "allOf": [
+                        {
+                            "$ref": "#/definitions/codersdk.RBACResource"
+                        }
+                    ]
                }
            }
        },
@ -6985,6 +6989,9 @@ const docTemplate = `{
                "derp": {
                    "$ref": "#/definitions/codersdk.DERP"
                },
+                "disable_owner_workspace_exec": {
+                    "type": "boolean"
+                },
                "disable_password_auth": {
                    "type": "boolean"
                },
@ -8023,6 +8030,57 @@ const docTemplate = `{
                }
            }
        },
+        "codersdk.RBACResource": {
+            "type": "string",
+            "enum": [
+                "workspace",
+                "workspace_proxy",
+                "workspace_execution",
+                "application_connect",
+                "audit_log",
+                "template",
+                "group",
+                "file",
+                "provisioner_daemon",
+                "organization",
+                "assign_role",
+                "assign_org_role",
+                "api_key",
+                "user",
+                "user_data",
+                "organization_member",
+                "license",
+                "deployment_config",
+                "deployment_stats",
+                "replicas",
+                "debug_info",
+                "system"
+            ],
+            "x-enum-varnames": [
+                "ResourceWorkspace",
+                "ResourceWorkspaceProxy",
+                "ResourceWorkspaceExecution",
+                "ResourceWorkspaceApplicationConnect",
+                "ResourceAuditLog",
+                "ResourceTemplate",
+                "ResourceGroup",
+                "ResourceFile",
+                "ResourceProvisionerDaemon",
+                "ResourceOrganization",
+                "ResourceRoleAssignment",
+                "ResourceOrgRoleAssignment",
+                "ResourceAPIKey",
+                "ResourceUser",
+                "ResourceUserData",
+                "ResourceOrganizationMember",
+                "ResourceLicense",
+                "ResourceDeploymentValues",
+                "ResourceDeploymentStats",
+                "ResourceReplicas",
+                "ResourceDebugInfo",
+                "ResourceSystem"
+            ]
+        },
        "codersdk.RateLimitConfig": {
            "type": "object",
            "properties": {