remove * and remove site-wide perms for secrets

evgeniy-scherbina · evgeniy-scherbina · commit 1663531cb027 · 2025-07-31T18:04:56.000Z
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -270,7 +270,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Site: append(
 			// Workspace dormancy and workspace are omitted.
 			// Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec
-			allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace),
+			allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUserSecret),
 			// This adds back in the Workspace permissions.
 			Permissions(map[string][]policy.Action{
 				ResourceWorkspace.Type:        ownerWorkspaceActions,
diff --git a/coderd/rbac/scopes.go b/coderd/rbac/scopes.go
@@ -53,7 +53,6 @@ func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope {
 			params.TemplateID.String(),
 			params.VersionID.String(),
 			params.OwnerID.String(),
-			"*",
 		},
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,6 @@ func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope {`
`53`	`53`	`params.TemplateID.String(),`
`54`	`54`	`params.VersionID.String(),`
`55`	`55`	`params.OwnerID.String(),`
`56`		`- "*",`
`57`	`56`	`},`
`58`	`57`	`}`
`59`	`58`	`}`