chore: use system context for fetching template information (#15205)

The authz check is Update() on the original template. This is not ideal,
but it follows the existing behavior. We are implicitly granting this
read access since template admins need to be able to see what
users/groups exist to assign.
This commit is contained in:
Steven Masley
2024-10-23 17:03:17 -05:00
committed by GitHub
parent fed70bdeb8
commit 163631e79c
2 changed files with 7 additions and 1 deletions

View File

@ -66,7 +66,9 @@ func (api *API) templateAvailablePermissions(rw http.ResponseWriter, r *http.Req
httpapi.InternalServerError(rw, err) httpapi.InternalServerError(rw, err)
return return
} }
memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, group.Group.ID)
// nolint:gocritic
memberCount, err := api.Database.GetGroupMembersCountByGroupID(dbauthz.AsSystemRestricted(ctx), group.Group.ID)
if err != nil { if err != nil {
httpapi.InternalServerError(rw, err) httpapi.InternalServerError(rw, err)
return return

View File

@ -1494,6 +1494,10 @@ func TestUpdateTemplateACL(t *testing.T) {
}, },
} }
// Group adds complexity to the /available endpoint
// Intentionally omit user2
coderdtest.CreateGroup(t, client, user.OrganizationID, "some-group", user3)
ctx := testutil.Context(t, testutil.WaitLong) ctx := testutil.Context(t, testutil.WaitLong)
err := client1.UpdateTemplateACL(ctx, template.ID, req) err := client1.UpdateTemplateACL(ctx, template.ID, req)