Skip to content

Team Viewer Role & RBAC Improvements #308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
frodesundby wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Team Viewer Role & RBAC Improvements #308

frodesundby wants to merge 17 commits into from

Conversation

@frodesundby
Copy link
Contributor

@frodesundby frodesundby commented Jan 16, 2026
edited by jhrv
Loading

Changes

 - New Team Viewer role - Read-only access to team resources, cannot elevate to see secrets
 - Renamed Member → Editor - Clearer naming (VIEWER/EDITOR/OWNER)
 - Renamed GraphQL fields - viewerIsMember → userIsMember, viewerIsOwner → userIsOwner, viewerCanElevate → userCanElevate

Migrations

 - 0057_add_team_viewer_role.sql - Creates Team viewer role with limited permissions
 - 0058_rename_team_member_to_editor.sql - Renames Team member → Team editor

Breaking Changes

 - GraphQL enum TeamMemberRole now has values: VIEWER, EDITOR, OWNER (was MEMBER, OWNER)
 - GraphQL fields renamed from viewer* to user* prefix

@frodesundby frodesundby requested a review from a team as a code owner January 16, 2026 14:39
@jhrv jhrv changed the title Envmapping Team Viewer Role & RBAC Improvements Jan 19, 2026
thokra-nav
thokra-nav reviewed Jan 19, 2026
View reviewed changes
thokra-nav
thokra-nav reviewed Jan 19, 2026
View reviewed changes
thokra-nav
thokra-nav reviewed Jan 19, 2026
View reviewed changes
jhrv and others added 4 commits January 19, 2026 16:40
@jhrv
revert
5c9abe0
@frodesundby
Rename team role "editor" to "member" everywhere
4585327
@frodesundby
Remove obsolete viewer role test from elevation integration tests
49c41e9
@frodesundby
Remove service account client logic from secret loader
cf521ca 
Refactor secret loader to use impersonated clients for all
operations. Remove ServiceAccountClientCreator and related methods.
Update secret queries to use watcher.ImpersonatedClient and
watcher.Delete.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrv jhrv jhrv left review comments

@thokra-nav thokra-nav thokra-nav left review comments

Assignees

No one assigned

Labels

graphql-review-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@frodesundby @jhrv @thokra-nav