synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: dbauthz: fix RBAC call for GetTemplateVersionVariables (#6670)

Browse Source 
In GetTemplateVersionVariables we were effectively asking the provisionerd role to call rbac.ActionCreate on rbac.ResourceTemplate, which will never work. Updated this to be rbac.ActionRead instead.
This commit is contained in:
Cian Johnston
2023-03-20 10:22:16 +00:00
committed by GitHub
parent 39510f4163
commit 331a49bf75
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
coderd/database/dbauthz/querier.go
View File

@ -735,7 +735,7 @@ func (q *querier) GetTemplateVersionVariables(ctx context.Context, templateVersi
object = tv.RBACObject(template)
}
if err := q.authorizeContext(ctx, rbac.ActionCreate, object); err != nil {
if err := q.authorizeContext(ctx, rbac.ActionRead, object); err != nil {
return nil, err
}
return q.db.GetTemplateVersionVariables(ctx, templateVersionID)

10
coderd/database/dbauthz/querier_test.go
View File

@ -599,6 +599,16 @@ func (s *MethodTestSuite) TestTemplate() {
})
check.Args(tv.ID).Asserts(t1, rbac.ActionRead).Returns([]database.TemplateVersionParameter{})
}))
s.Run("GetTemplateVersionVariables", s.Subtest(func(db database.Store, check *expects) {
t1 := dbgen.Template(s.T(), db, database.Template{})
tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
TemplateID: uuid.NullUUID{UUID: t1.ID, Valid: true},
})
tvv1 := dbgen.TemplateVersionVariable(s.T(), db, database.TemplateVersionVariable{
TemplateVersionID: tv.ID,
})
check.Args(tv.ID).Asserts(t1, rbac.ActionRead).Returns([]database.TemplateVersionVariable{tvv1})
}))
s.Run("GetTemplateGroupRoles", s.Subtest(func(db database.Store, check *expects) {
t1 := dbgen.Template(s.T(), db, database.Template{})
check.Args(t1.ID).Asserts(t1, rbac.ActionRead)