fix(coderd): let admins change their own workspace sharing role by aslilac · Pull Request #26559 · coder/coder · GitHub
Skip to content

fix(coderd): let admins change their own workspace sharing role#26559

Merged
aslilac merged 1 commit into
mainfrom
lilac/workspace-share-self
Jun 22, 2026
Merged

fix(coderd): let admins change their own workspace sharing role#26559
aslilac merged 1 commit into
mainfrom
lilac/workspace-share-self

Conversation

@aslilac

@aslilac aslilac commented Jun 22, 2026

Copy link
Copy Markdown
Member

Org and deployment admins couldn't share a workspace with themselves. Workspace ACL updates rejected any change to the caller's own sharing role, even for admins whose share permission comes from their role rather than the workspace.

Self-edits are now allowed when the caller can share any workspace in the organization. Users whose only access is the share itself remain blocked from destructively demoting themselves.

Design notes

The self-guard is skipped only when Authorize(share, ResourceWorkspace.InOrg(org)) passes. That abstract, owner-less check is satisfied by org/site-level role grants, but not by owner-scoped member permissions or by a specific workspace's ACL, so it distinguishes role-based share from share that derives from the workspace itself. The dbauthz layer still independently authorizes share on the workspace.


This PR was created by Coder Agents on behalf of @aslilac.

Workspace ACL updates blocked any user from changing their own sharing role. Org and deployment admins hold workspace share permission across the organization independent of a workspace's ACL, so they may now manage their own access. Users whose only access is the share itself remain blocked from destructively demoting themselves.
@aslilac aslilac merged commit 116a220 into main Jun 22, 2026
51 of 52 checks passed
@aslilac aslilac deleted the lilac/workspace-share-self branch June 22, 2026 18:27
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 22, 2026
@f0ssel f0ssel added backport and removed backport labels Jun 27, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants