feat(bootstrap): grant project-create to org member role#1708
feat(bootstrap): grant project-create to org member role#1708whoAbhishekSah wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✅ Files skipped from review due to trivial changes (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe ChangesPermission Grant Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes 🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Coverage Report for CI Build 27816531053Coverage remained the same at 43.804%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
Add app_organization_projectcreate to the predefined organization viewer
("Member") role so org members can create projects, not just read the org.
Also remove a duplicate PredefinedRoles entry titled "Group Viewer" that
reused the same Name (RoleOrganizationViewer / app_organization_viewer). It
defined no distinct role — MigrateRoles reconciled the same role twice, last
write winning — so removing it has no functional effect beyond dropping a
redundant pass and makes the role single-sourced.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
906620b to
94688fe
Compare
|
Closing — adding app_organization_projectcreate to the base Member role over-grants: service users (and all members) hold Member by default, so this would let every member/service-user create projects, which the serviceusers regression tests correctly guard against. The intended model is to grant project creation via the Manager role or an explicit policy; the read-only Member role is correct. The duplicate-role cleanup can be done separately if wanted. |
What
app_organization_projectcreateto the predefined organization viewer ("Member") role, so an org Member can create projects rather than only reading the org.PredefinedRolesentry titled "Group Viewer" that reused the sameName(RoleOrganizationViewer=app_organization_viewer).Why the duplicate removal
PredefinedRolesdefinedRoleOrganizationViewertwice — "Member" and "Group Viewer" — with the sameName, so it never created a distinct role.MigrateRolesreconciled the same role twice (last write winning), which meant any edit to the Member role had to be mirrored in both entries or the second would reset it. The "Group Viewer" copy traces back to #399 and looks like a copy/paste that reused the org-viewer name instead of a dedicated group-viewer constant. Removing it is functionally inert (sameName, no separate role) and makes the role single-sourced.Impact
Additive for permissions — Member gains
projectcreate, nothing is removed. The dedupe changes no runtime behavior (the duplicate was a redundant reconcile of the same role). Applied via the normal boot-time role reconcile.🤖 Generated with Claude Code