-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: don't allow observer and observer+ to download software installers #19938
Conversation
allow { | ||
not is_null(object.team_id) | ||
object.type == "software_installer" | ||
team_role(subject, object.team_id) == [admin, maintainer, observer, observer_plus][_] | ||
team_role(subject, object.team_id) == [admin, maintainer][_] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the problem (and the confusing part) is that they can read installers, but they can't download them, I believe this will restrict both actions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was still able to read (list and access the details page) fwiw; I think those actions are permissioned using the software titles object, which allows the access
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point, thanks! how do you see that playing out with the upcoming changes in #19561?
Checklist for submitter
If some of the following don't apply, delete the relevant line.
changes/
,orbit/changes/
oree/fleetd-chrome/changes
.See Changes files for more information.