Skip to content

Commit 90ca06f

Browse files
committed
project admins inherit from project viewer
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
1 parent ebf9f48 commit 90ca06f

2 files changed

Lines changed: 7 additions & 9 deletions

File tree

app/controlplane/pkg/authz/authz.go

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -301,18 +301,14 @@ var RolesMap = map[Role][]*Policy{
301301
// Project API Token
302302
PolicyAPITokenList,
303303
},
304-
// RoleProjectAdmin: represents a project administrator. It's the higher role in project resources,
305-
// and it's only considered when the org-level role is `RoleOrgMember`
304+
// RoleProjectAdmin: inherits from ProjectViewer and represents a project administrator.
306305
RoleProjectAdmin: {
307306
// workflow contracts
308-
PolicyWorkflowContractList,
309-
PolicyWorkflowContractRead,
310307
PolicyWorkflowContractCreate,
311308
PolicyWorkflowContractUpdate,
312309
PolicyWorkflowContractDelete,
313310

314311
// attestations
315-
PolicyWorkflowRead,
316312
PolicyWorkflowCreate,
317313
PolicyWorkflowRunCreate,
318314
PolicyWorkflowRunUpdate, // to reset attestations
@@ -321,15 +317,11 @@ var RolesMap = map[Role][]*Policy{
321317
PolicyWorkflowUpdate,
322318
PolicyWorkflowDelete,
323319

324-
// workflow runs
325-
PolicyWorkflowRunRead,
326-
327320
// integrations
328321
PolicyAttachedIntegrationAttach,
329322
PolicyAttachedIntegrationDetach,
330323

331324
// Project API Token
332-
PolicyAPITokenList,
333325
PolicyAPITokenCreate,
334326
PolicyAPITokenRevoke,
335327

app/controlplane/pkg/authz/enforcer.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -264,5 +264,11 @@ func doSync(e *Enforcer, c *Config) error {
264264
return fmt.Errorf("failed to add grouping policy: %w", err)
265265
}
266266

267+
// ProjectAdmins are ProjectViewers as well
268+
_, err = e.AddGroupingPolicy(string(RoleProjectAdmin), string(RoleProjectViewer))
269+
if err != nil {
270+
return fmt.Errorf("failed to add grouping policy: %w", err)
271+
}
272+
267273
return nil
268274
}

0 commit comments

Comments
 (0)