From 7ddd9cf4a86d10dc32e4a45ea1db89109475d375 Mon Sep 17 00:00:00 2001
From: Timofei Larkin <lllamnyp@gmail.com>
Date: Wed, 12 Nov 2025 14:09:37 +0300
Subject: [PATCH] [rbac] Fix permissions for high-privilege users

## What this PR does

This patch grants "admin" permissions to super-admins, "use" permissions
to admins and super-admins, "view" permissions to "use"-privileged
users, admins, and super-admins. Previously lower-privileged roles were
not assigned to higher-privileged users, so a viewer could excercise
their basic read-only permissions which were not available to
high-privilege users. This patch corrects the template function used to
generate subjects in rolebindings, fixing the issue.

### Release note

```release-note
[rbac] Fix issue of privileged users not having low-privilege read-only
permissions.
```

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
---
 packages/apps/tenant/templates/tenant.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml
index 3bb4a7d5..6d325a07 100644
--- a/packages/apps/tenant/templates/tenant.yaml
+++ b/packages/apps/tenant/templates/tenant.yaml
@@ -122,7 +122,7 @@ metadata:
   name: {{ include "tenant.name" . }}-view
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "view" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "view" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-view
@@ -200,7 +200,7 @@ metadata:
   name: {{ include "tenant.name" . }}-use
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "use" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "use" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-use
@@ -299,7 +299,7 @@ metadata:
   name: {{ include "tenant.name" . }}-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "admin" (include "tenant.name" .)) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "admin" (include "tenant.name" .)) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-admin
@@ -373,7 +373,7 @@ metadata:
   name: {{ include "tenant.name" . }}-super-admin
   namespace: {{ include "tenant.name" . }}
 subjects:
-{{ include "cozy-lib.rbac.subjectsForTenant" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
+{{ include "cozy-lib.rbac.subjectsForTenantAndAccessLevel" (list "super-admin" (include "tenant.name" .) ) | nindent 2 }}
 roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}-super-admin