chore: ensure proper rbac permissions on 'Acquire' file in the cache (#18348)

The file cache was caching the `Unauthorized` errors if a user without the right perms opened the file first. So all future opens would fail. Now the cache always opens with a subject that can read files. And authz is checked on the Acquire per user.
2025-07-03 16:13:58 +00:00 · 2025-06-16 08:40:45 -05:00
parent d83706bd5b
commit 1d1070d051
16 changed files with 218 additions and 51 deletions
--- a/coderd/rbac/authz.go
+++ b/coderd/rbac/authz.go
@ -74,6 +74,11 @@ const (
 	SubjectTypeSystemRestricted             SubjectType = "system_restricted"
 	SubjectTypeNotifier                     SubjectType = "notifier"
 	SubjectTypeSubAgentAPI                  SubjectType = "sub_agent_api"
+	SubjectTypeFileReader                   SubjectType = "file_reader"
+)
+
+const (
+	SubjectTypeFileReaderID = "acbf0be6-6fed-47b6-8c43-962cb5cab994"
 )

 // Subject is a struct that contains all the elements of a subject in an rbac