synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-08 11:39:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: remove site wide perms from creating a workspace (#17296)

Browse Source 
Creating a workspace required `read` on site wide `user`. 
Only organization permissions should be required.
This commit is contained in:
Steven Masley
2025-04-09 14:35:43 -05:00
committed by GitHub
parent a03a54dd14
commit 0b58798a1a
8 changed files with 392 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
coderd/httpmw/userparam.go
View File

@ -31,13 +31,18 @@ func UserParam(r *http.Request) database.User {
return user
}
func UserParamOptional(r *http.Request) (database.User, bool) {
user, ok := r.Context().Value(userParamContextKey{}).(database.User)
return user, ok
}
// ExtractUserParam extracts a user from an ID/username in the {user} URL
// parameter.
func ExtractUserParam(db database.Store) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
user, ok := extractUserContext(ctx, db, rw, r)
user, ok := ExtractUserContext(ctx, db, rw, r)
if !ok {
// response already handled
return
@ -48,15 +53,31 @@ func ExtractUserParam(db database.Store) func(http.Handler) http.Handler {
}
}
// extractUserContext queries the database for the parameterized `{user}` from the request URL.
func extractUserContext(ctx context.Context, db database.Store, rw http.ResponseWriter, r *http.Request) (user database.User, ok bool) {
// ExtractUserParamOptional does not fail if no user is present.
func ExtractUserParamOptional(db database.Store) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
user, ok := ExtractUserContext(ctx, db, &httpapi.NoopResponseWriter{}, r)
if ok {
ctx = context.WithValue(ctx, userParamContextKey{}, user)
}
next.ServeHTTP(rw, r.WithContext(ctx))
})
}
}
// ExtractUserContext queries the database for the parameterized `{user}` from the request URL.
func ExtractUserContext(ctx context.Context, db database.Store, rw http.ResponseWriter, r *http.Request) (user database.User, ok bool) {
// userQuery is either a uuid, a username, or 'me'
userQuery := chi.URLParam(r, "user")
if userQuery == "" {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "\"user\" must be provided.",
})
return database.User{}, true
return database.User{}, false
}
if userQuery == "me" {