synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-06 15:41:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: ensure proper rbac permissions on 'Acquire' file in the cache (#18348)

Browse Source 
The file cache was caching the `Unauthorized` errors if a user without
the right perms opened the file first. So all future opens would fail.

Now the cache always opens with a subject that can read files. And authz
is checked on the Acquire per user.
This commit is contained in:
Steven Masley
2025-06-16 08:40:45 -05:00
committed by GitHub
parent d83706bd5b
commit 1d1070d051
16 changed files with 218 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
coderd/roles.go
View File

@ -26,7 +26,7 @@ import (
// @Router /users/roles [get]
func (api *API) AssignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
actorRoles := httpmw.UserAuthorization(r)
actorRoles := httpmw.UserAuthorization(r.Context())
if !api.Authorize(r, policy.ActionRead, rbac.ResourceAssignRole) {
httpapi.Forbidden(rw)
return
@ -59,7 +59,7 @@ func (api *API) AssignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
organization := httpmw.OrganizationParam(r)
actorRoles := httpmw.UserAuthorization(r)
actorRoles := httpmw.UserAuthorization(r.Context())
if !api.Authorize(r, policy.ActionRead, rbac.ResourceAssignOrgRole.InOrg(organization.ID)) {
httpapi.ResourceNotFound(rw)