Skip to content
This repository was archived by the owner on Sep 30, 2024. It is now read-only.

support getting other orgs on dotcom from the GraphQL API#63941

Merged
sqs merged 1 commit into
mainfrom
sqs/dotcom-org-perms-2
Jul 19, 2024
Merged

support getting other orgs on dotcom from the GraphQL API#63941
sqs merged 1 commit into
mainfrom
sqs/dotcom-org-perms-2

Conversation

@sqs

@sqs sqs commented Jul 19, 2024
edited
Loading

Copy link
Copy Markdown
Member

Previously, the GraphQL API on dotcom only let org members query for an org (through organization(name: ...) or otherwise). This made sense as a strict security safeguard in a world where an org had only private resources, not public resources.

However, with search contexts, saved searches, and now the new prompt library, we want orgs on dotcom to be able to create things that (if we or they intentionally make them public) all users can see, and can see the association with the org owner. That requires all users to be able to query for the org and see its name.

We continue to enforce the secrecy of much org data: members (only org members can list the other members of the org), settings (only org members can view this).

But the name, displayName, and existence of an org will now be considered public.

Test plan

In dotcom mode, view an organization.

@cla-bot cla-bot Bot added the cla-signed label Jul 19, 2024
github-advanced-security[bot]
github-advanced-security AI found potential problems Jul 19, 2024
View reviewed changes
Comment thread cmd/frontend/graphqlbackend/org.go Outdated
Comment on lines 196 to 201

Check notice

Code scanning / Semgrep OSS

Semgrep Finding: security-semgrep-rules.semgrep-rules.generic.comment-tagging-rule

Code that highlight SECURITY in comment has changed. Please review the code for changes. The changes might be sensitive.
@sqs sqs force-pushed the sqs/dotcom-org-perms-2 branch from 25ab300 to 267cc6b Compare July 19, 2024 09:31
@sqs sqs changed the title wip support getting other orgs on dotcom support getting other orgs on dotcom from the GraphQL API Jul 19, 2024
@sqs sqs force-pushed the sqs/dotcom-org-perms-2 branch 2 times, most recently from 427642c to 3fe4db0 Compare July 19, 2024 11:41
@sqs sqs marked this pull request as ready for review July 19, 2024 11:42
@sqs
support getting other orgs on dotcom from the GraphQL API
87ad4bd 
Previously, the GraphQL API on dotcom only let org members query for an org (through `organization(name: ...)` or otherwise). This made sense as a strict security safeguard in a world where an org had only private resources, not public resources.

However, with search contexts, saved searches, and now the new prompt library, we want orgs on dotcom to be able to create things that (if we or they intentionally make them public) all users can see, and can see the association with the org owner.

That requires all users to be able to query for the org and see its name.

We continue to enforce the secrecy of much org data: members (only org members can list the other members of the org), settings (only org members can view this). But the name, displayName, and existence of an org will now be considered public.
@sqs sqs force-pushed the sqs/dotcom-org-perms-2 branch from 3fe4db0 to 87ad4bd Compare July 19, 2024 11:42
@sqs sqs requested a review from a team July 19, 2024 11:43
evict
evict approved these changes Jul 19, 2024
View reviewed changes

@evict evict left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 LGTM

@sqs sqs merged commit d33b87c into main Jul 19, 2024
@sqs sqs deleted the sqs/dotcom-org-perms-2 branch July 19, 2024 22:49
@sqs sqs mentioned this pull request Jul 19, 2024
Merged
sqs referenced this pull request Jul 20, 2024
@sqs
allow site admins to list org members & view user/org settings on dotcom
332242f 
Followup from https://github.com/sourcegraph/sourcegraph/pull/63941.

I forgot to make it so site admins could list org members in that PR.

As for the new ability for site admins to see user and org settings: Site admins could already add themselves to orgs as members and see settings that way. I considered still keeping it stricter, but it is valuable for site admins to be able to view settings to help users troubleshoot.
sqs referenced this pull request Jul 20, 2024
@sqs
allow site admins to list org members & view user/org settings on dot…
341bfe7 
…com (#63963)

Followup from https://github.com/sourcegraph/sourcegraph/pull/63941.

I forgot to make it so site admins could list org members in that PR.

As for the new ability for site admins to see user and org settings:
Site admins could already add themselves to orgs as members and see
settings that way. I considered still keeping it stricter, but it is
valuable for site admins to be able to view settings to help users
troubleshoot.


## Test plan

In dotcom mode, as a site admin, view a user or org (that the site admin
is not a member of). Confirm that the settings can be viewed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@evict evict evict approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cla-signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sqs @evict @github-advanced-security