Skip to content

fix(group): Only org admin/owners and group maintainers can list group members #2269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 18, 2025
Merged

fix(group): Only org admin/owners and group maintainers can list group members #2269

merged 3 commits into from
Jul 18, 2025

Conversation

javirln
Copy link
Member

@javirln javirln commented Jul 17, 2025

This patch restricts access to the ListMembers endpoint so that only organization owners, admins, or maintainers of the specific group can view its members.

@javirln javirln requested review from migmartri and jiparis July 17, 2025 11:29
@javirln javirln self-assigned this Jul 17, 2025
@javirln javirln marked this pull request as draft July 17, 2025 11:38
@javirln
fix(group): Only org admin/owners and group maintainers can list grou…
51806b2 
…p members

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln marked this pull request as ready for review July 17, 2025 11:47
javirln added 2 commits July 17, 2025 14:52
@javirln
remove duplicated code
b6ecc71 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
change string
ffb373e 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
javirln
javirln commented Jul 17, 2025
View reviewed changes
app/controlplane/internal/service/group.go
}

// userHasPermissionToListGroupMember checks if the user has permission to list group members
func (g *GroupService) userHasPermissionToListGroupMember(ctx context.Context, orgID string, groupIdentifier *pb.IdentityReference) error {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved all these methods from servier to GroupService and this is the new one that checks the policy for listing members in a group

jiparis
jiparis reviewed Jul 17, 2025
View reviewed changes
app/controlplane/pkg/biz/group.go

// Validate requester permissions only if RequesterID is provided
if opts.RequesterID != uuid.Nil {
// Check if the requester is part of the organization
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this code duplicated?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this code can be found in validateRequesterPermissions that's why I removed it. I must have left it here after some refactoring.

jiparis
jiparis reviewed Jul 17, 2025
View reviewed changes
app/controlplane/internal/service/group.go
IdentityReference: &biz.IdentityReference{},
Maintainers: req.Maintainers,
MemberEmail: req.MemberEmail,
RequesterID: requesterUUID,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this just for testing? or is it needed for any use case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the same way we have AddMembers and `RemoveMembers, I pass the requester to check the permissions on biz, only if present and to test it, yes. In this way we allow third party code to call this code without the problem of forcing a requester.

jiparis
jiparis approved these changes Jul 17, 2025
View reviewed changes
Copy link
Member

@jiparis jiparis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I implemented a similar approach at #2271, I'll solve the conflicts when this is merged.

Do you think we should also restrict the GroupsService/GetProjects endpoint?

migmartri
migmartri approved these changes Jul 17, 2025
View reviewed changes
app/controlplane/pkg/biz/group.go
}

// Validate requester permissions only if RequesterID is provided
if opts.RequesterID != uuid.Nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what's this requester part? When is it meant to not to exist?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When the calling this method from a third party code. For example, we have another service calling AddMembers and RemoveMembers where we don't check the requester because it's a system request.

It's basically here to check permissions a part from the service

@javirln
Copy link
Member Author

javirln commented Jul 17, 2025

Do you think we should also restrict the GroupsService/GetProjects endpoint?

@jiparis was that covered in the permission matrix? We originally had this endpoint, ListMembers open for all members because we thought it was ok. I don't think we have talked about the Projects in the scope of groups though

@javirln javirln merged commit 751a509 into chainloop-dev:main Jul 18, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis jiparis approved these changes

Assignees

@javirln javirln

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@javirln @migmartri @jiparis