Skip to content

feat(enterprise): implement organization "disable workspace sharing" option #21376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
geokat merged 31 commits into from
Jan 14, 2026
Merged

feat(enterprise): implement organization "disable workspace sharing" option #21376

geokat merged 31 commits into from
Jan 14, 2026

Conversation

@geokat
Copy link
Contributor

@geokat geokat commented Dec 22, 2025
edited
Loading

Part of a series (2 stacked PRs) that closes coder/internal#1073

  • PR 1/2
  • PR 2/2 (this one)

Adds a per-organization setting to disable workspace sharing. When enabled,
all existing workspace ACLs in the organization are cleared and the workspace
ACL mutation API endpoints return 403 Forbidden.

This complements the existing site-wide --disable-workspace-sharing flag by
providing more granular control at the organization level.

Changes

  • New API endpoints for organization workspace sharing settings:
    • GET /organizations/{org}/settings/workspace-sharing
    • PATCH /organizations/{org}/settings/workspace-sharing
  • CLI commands: coder organizations settings show workspace-sharing
    and coder organizations settings set workspace-sharing
  • When sharing is disabled for an organization:
    • All existing workspace ACLs are cleared (DeleteWorkspaceACLsByOrganization)
    • ACL mutation endpoints (PATCH/DELETE /workspaces/{id}/acl) return 403 Forbidden
    • The org-member role is reconciled to remove sharing permissions
  • Audit logging for settings changes

Implementation notes

  • Considered organization edit --disable-workspace-sharing but chose the settings
    endpoint pattern for extensibility (e.g., future settings like default share level, allowed
    share levels)
  • The setting is stored on the organizations table as workspace_sharing_disabled
  • Disabling sharing is a destructive operation that removes all existing ACL entries
  • Re-enabling sharing does not restore previously cleared ACLs

@geokat geokat mentioned this pull request Dec 22, 2025
Merged
@geokat geokat marked this pull request as ready for review December 22, 2025 18:22
@geokat geokat requested a review from Emyrk as a code owner December 22, 2025 18:22
@geokat geokat requested a review from aslilac December 22, 2025 18:35
@geokat
Copy link
Contributor Author

geokat commented Dec 22, 2025

  • New API endpoints for organization workspace sharing settings:
    • GET /organizations/{org}/settings/workspace-sharing
    • PATCH /organizations/{org}/settings/workspace-sharing
  • CLI commands: coder organizations settings show workspace-sharing
    and coder organizations settings set workspace-sharing

Now I'm not sure if we want to expose sharing_disabled as a workspace-sharing setting like I did here or as organization edit --workspace-sharing-disabled=true (which would require creating a whole new organization edit sub-command), or maybe some other way.

It's a UX question but maybe also an authz one: as a setting (the former case) it could be easily guarded with a separate RBAC resource type if necessary (e.g. ResourceWorkspaceSharingSettings) whereas as an organization property (the latter) it would fall under ActionUpdate on ResourceOrganization?

@aslilac
Copy link
Member

aslilac commented Dec 22, 2025

just as a heads up, we usually try to limit prs to about +500 lines. a little bit bigger is fine, but this is significantly over the usual limit, which will make it much harder for us to review quickly/effectively.

@geokat geokat changed the base branch from main to geokat/internal-1073-make-org-member-role-customizable-per-org December 22, 2025 23:47
@geokat
Copy link
Contributor Author

geokat commented Dec 22, 2025

just as a heads up, we usually try to limit prs to about +500 lines. a little bit bigger is fine, but this is significantly over the usual limit, which will make it much harder for us to review quickly/effectively.

My bad, I should have used #21359 as the base branch because these two are stacked. Fixed.

@geokat geokat force-pushed the geokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org branch from 235a287 to 0286e78 Compare December 23, 2025 07:30
aslilac
aslilac reviewed Dec 24, 2025
View reviewed changes
@github-actions github-actions bot added the stale This issue is like stale bread. label Jan 1, 2026
@github-actions github-actions bot closed this Jan 5, 2026
@geokat geokat reopened this Jan 5, 2026
@geokat geokat force-pushed the geokat/internal-1073-make-org-member-role-customizable-per-org branch from 5a38c10 to 06f14ee Compare January 5, 2026 16:31
@geokat geokat marked this pull request as draft January 5, 2026 20:23
@geokat geokat force-pushed the geokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org branch from dd3ff05 to 6e2e4a1 Compare January 5, 2026 21:13
@github-actions github-actions bot removed the stale This issue is like stale bread. label Jan 6, 2026
@geokat geokat force-pushed the geokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org branch from 6e2e4a1 to 7148ea8 Compare January 6, 2026 17:58
@geokat geokat force-pushed the geokat/internal-1073-make-org-member-role-customizable-per-org branch from 626a129 to 22a88a2 Compare January 7, 2026 15:28
@geokat geokat force-pushed the geokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org branch from da83025 to f91f3b3 Compare January 7, 2026 15:31
@geokat geokat force-pushed the geokat/internal-1073-make-org-member-role-customizable-per-org branch 5 times, most recently from e0acfba to 73dca2a Compare January 7, 2026 21:53
@geokat geokat force-pushed the geokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org branch from f91f3b3 to abb383b Compare January 8, 2026 03:53
@geokat geokat force-pushed the geokat/internal-1073-make-org-member-role-customizable-per-org branch 3 times, most recently from 2a3e5af to ee56fdf Compare January 9, 2026 20:20
geokat and others added 26 commits January 14, 2026 09:19
@geokat
relax custom role checks for system roles
ac2a4b0
@geokat
fix: check perms on system object instead of actor role name when cre…
e22ebec 
…ating/updating system roles
@geokat
make gen
6cd969d
@geokat
log organization-member role updates during startup system role recon…
a8bc224 
…ciliation
@geokat
upd migration: delete organization-member-named roles before creating…
9df1ef4 
… system roles as an extra precaution
@geokat
bump migration numbers to keep up with main
16bbcfe
@geokat
used slog version update and make gen
db25136
@geokat
blank line tripping fmt linter in CI
ec3ad3a
@geokat
fix existing tests
b13987f
@geokat
(re-)implement organization-member as custom role
bd66eb6
@geokat
feat: implement organization "disable workspace sharing" option
05249a4
@geokat
add tests
23ac2fb
@geokat
fix race condition and refactor
2fa601e
@geokat
update call site to accept extra return value added in upstream branch
35a2f7d
@geokat
update linter-related stuff (including tests) and comments
a8be21e
@geokat
Revert "(re-)implement organization-member as custom role"
7f3f252 
This reverts commit 41be07a.

Got picked up by mistake during a rebase.
@geokat
system perms not required to acquire lock
c8e2693
@geokat
add missing method coverage and fix workspace-sharing swagger IDs
5f22b11
@geokat
make gen
0f36563
@geokat @Emyrk
org is already a valid RBACObject
5eeb362 
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
@geokat @Emyrk
org is already a valid RBACObject
1dd361d 
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
@geokat
do not (explicitly) prevent acl fetch when workspace sharing is disab…
492bf8b 
…led for org
@geokat
update tests
57da8f0
@geokat
clean up stuff picked up by mistake during rebase
129b26b
@geokat
require workspace.read (instead of workspace.share) for fetching …
945271b 
…ws ACL
@geokat
update affected dbauthz test
2d64217
@geokat geokat force-pushed the geokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org branch from cf39fa5 to 2d64217 Compare January 14, 2026 17:19
@geokat geokat merged commit 0712fae into main Jan 14, 2026
35 checks passed
@geokat geokat deleted the geokat/internal-1073-implement-option-to-disable-workspace-sharing-per-org branch January 14, 2026 17:47
@github-actions github-actions bot locked and limited conversation to collaborators Jan 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

@aslilac aslilac Awaiting requested review from aslilac

Assignees

@geokat geokat

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement organization "disable workspace sharing" option

4 participants

@geokat @aslilac @Emyrk