Skip to content

fix(RBAC): correcly apply RBAC to referrers if needed #2140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 27, 2025
Merged

fix(RBAC): correcly apply RBAC to referrers if needed #2140

merged 4 commits into from
Jun 27, 2025

Conversation

jiparis
Copy link
Member

@jiparis jiparis commented Jun 26, 2025
edited
Loading

Fix filtering by visible referrers in Discover endpoints. Since this endpoint search in multiple orgs, the logic must consider the user role in each of those orgs to apply RBAC on projects if needed.

  • if the user doesn't need RBAC in some Organization, the resource is visible
  • if the user is "member" in all organizations, RBAC is applied by checking visible projects on each (if the resource is accessible in one of them, it's returned).

Refs #2121

@jiparis
correcly apply RBAC to referrers if needed
0f4e257 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis requested review from migmartri and javirln June 26, 2025 15:11
@jiparis
lint
10e0409 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@migmartri
Copy link
Member

if the user is "member" in all organizations, RBAC is applied by checking visible projects on each (if the resource is accessible in one of them, it's returned).

I do not follow this logic, could you elaborate?

migmartri
migmartri approved these changes Jun 26, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still struggle with this a little bit. I do not understand how you can do a multi-dymension query between orgs that include all the projects, and orgs that include only some.

jiparis
jiparis commented Jun 27, 2025
View reviewed changes
jiparis added 2 commits June 27, 2025 12:53
@jiparis
apply suggestions
4296ae3 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis
add comment
d4c8113 
Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
@jiparis jiparis merged commit 96bbf57 into chainloop-dev:main Jun 27, 2025
13 checks passed
@jiparis jiparis deleted the PFM-3218 branch June 27, 2025 12:27
@BrewTestBot BrewTestBot mentioned this pull request Jun 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri migmartri approved these changes

@javirln javirln Awaiting requested review from javirln

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jiparis @migmartri