Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions app/controlplane/internal/service/group.go
Original file line number Diff line number Diff line change
Expand Up @@ -236,8 +236,14 @@ func (g *GroupService) ListMembers(ctx context.Context, req *pb.GroupServiceList
return nil, err
}

if err := g.userHasPermissionToListGroupMember(ctx, currentOrg.ID, req.GetGroupReference()); err != nil {
return nil, err
orgRole := usercontext.CurrentAuthzSubject(ctx)

// Viewers can see group memberships
// TODO: replace this with enforcer check once group_memberships and memberships are merged
if authz.Role(orgRole) != authz.RoleViewer {
if err := g.userHasPermissionToListGroupMember(ctx, currentOrg.ID, req.GetGroupReference()); err != nil {
return nil, err
}
}

currentUser, err := requireCurrentUser(ctx)
Expand Down
11 changes: 10 additions & 1 deletion app/controlplane/pkg/authz/authz.go
Original file line number Diff line number Diff line change
Expand Up @@ -158,8 +158,10 @@ var (
PolicyWorkflowDelete = &Policy{ResourceWorkflow, ActionDelete}
// Projects
PolicyProjectCreate = &Policy{ResourceProject, ActionCreate}

// User Membership
PolicyOrganizationRead = &Policy{Organization, ActionRead}
PolicyOrganizationRead = &Policy{Organization, ActionRead}
PolicyOrganizationListMemberships = &Policy{OrganizationMemberships, ActionList}

// Group Memberships
PolicyGroupListPendingInvitations = &Policy{ResourceGroup, ActionList}
Expand Down Expand Up @@ -215,6 +217,9 @@ var RolesMap = map[Role][]*Policy{
PolicyWorkflowRead,
// Organization
PolicyOrganizationRead,

// List organization memberships
PolicyOrganizationListMemberships,
},
// RoleAdmin is an org-scoped role that provides super admin privileges (it's the higher role)
RoleAdmin: {
Expand Down Expand Up @@ -385,6 +390,10 @@ var ServerOperationsMap = map[string][]*Policy{
// since all the permissions here are in the context of an organization
// Create new organization
"/controlplane.v1.OrganizationService/Create": {},

// List global memberships
"/controlplane.v1.OrganizationService/ListMemberships": {PolicyOrganizationListMemberships},

// NOTE: this is about listing my own memberships, not about listing all the memberships in the organization
"/controlplane.v1.UserService/ListMemberships": {},
// Set the current organization for the current user
Expand Down
Loading