From 163631e79c7de9ac1a261a3387658998cf0503c6 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 23 Oct 2024 17:03:17 -0500 Subject: [PATCH] chore: use system context for fetching template information (#15205) The authz check is Update() on the original template. This is not ideal, but it follows the existing behavior. We are implicitly granting this read access since template admins need to be able to see what users/groups exist to assign. --- enterprise/coderd/templates.go | 4 +++- enterprise/coderd/templates_test.go | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/enterprise/coderd/templates.go b/enterprise/coderd/templates.go index 114f029c9d..3cc82e6155 100644 --- a/enterprise/coderd/templates.go +++ b/enterprise/coderd/templates.go @@ -66,7 +66,9 @@ func (api *API) templateAvailablePermissions(rw http.ResponseWriter, r *http.Req httpapi.InternalServerError(rw, err) return } - memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, group.Group.ID) + + // nolint:gocritic + memberCount, err := api.Database.GetGroupMembersCountByGroupID(dbauthz.AsSystemRestricted(ctx), group.Group.ID) if err != nil { httpapi.InternalServerError(rw, err) return diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go index 5d9cb8ee9f..ab5442ea92 100644 --- a/enterprise/coderd/templates_test.go +++ b/enterprise/coderd/templates_test.go @@ -1494,6 +1494,10 @@ func TestUpdateTemplateACL(t *testing.T) { }, } + // Group adds complexity to the /available endpoint + // Intentionally omit user2 + coderdtest.CreateGroup(t, client, user.OrganizationID, "some-group", user3) + ctx := testutil.Context(t, testutil.WaitLong) err := client1.UpdateTemplateACL(ctx, template.ID, req)