prevent creation and modification of system users

This commit is contained in:
Sas Swart
2025-03-13 10:19:21 +00:00
parent 3bbe40e312
commit 4ee53e20d9
4 changed files with 47 additions and 0 deletions

View File

@ -445,6 +445,17 @@ BEGIN
END;
$$;
CREATE FUNCTION prevent_system_user_changes() RETURNS trigger
LANGUAGE plpgsql
AS $$
BEGIN
IF OLD.is_system = true THEN
RAISE EXCEPTION 'Cannot modify or delete system users';
END IF;
RETURN OLD;
END;
$$;
CREATE FUNCTION protect_deleting_organizations() RETURNS trigger
LANGUAGE plpgsql
AS $$
@ -2617,6 +2628,10 @@ CREATE OR REPLACE VIEW workspace_prebuilds AS
CREATE TRIGGER inhibit_enqueue_if_disabled BEFORE INSERT ON notification_messages FOR EACH ROW EXECUTE FUNCTION inhibit_enqueue_if_disabled();
CREATE TRIGGER prevent_system_user_deletions BEFORE DELETE ON users FOR EACH ROW WHEN ((old.is_system = true)) EXECUTE FUNCTION prevent_system_user_changes();
CREATE TRIGGER prevent_system_user_updates BEFORE UPDATE ON users FOR EACH ROW WHEN ((old.is_system = true)) EXECUTE FUNCTION prevent_system_user_changes();
CREATE TRIGGER protect_deleting_organizations BEFORE UPDATE ON organizations FOR EACH ROW WHEN (((new.deleted = true) AND (old.deleted = false))) EXECUTE FUNCTION protect_deleting_organizations();
CREATE TRIGGER remove_organization_member_custom_role BEFORE DELETE ON custom_roles FOR EACH ROW EXECUTE FUNCTION remove_organization_member_role();

View File

@ -3,6 +3,11 @@ DROP VIEW IF EXISTS workspace_prebuild_builds;
DROP VIEW IF EXISTS workspace_prebuilds;
DROP VIEW IF EXISTS workspace_latest_build;
-- Undo the restriction on deleting system users
DROP TRIGGER IF EXISTS prevent_system_user_updates ON users;
DROP TRIGGER IF EXISTS prevent_system_user_deletions ON users;
DROP FUNCTION IF EXISTS prevent_system_user_changes();
-- Revert user operations
-- c42fdf75-3097-471c-8c33-fb52454d81c0 is the identifier for the system user responsible for prebuilds.
DELETE FROM user_status_changes WHERE user_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0';

View File

@ -3,6 +3,32 @@ INSERT INTO users (id, email, username, name, created_at, updated_at, status, rb
VALUES ('c42fdf75-3097-471c-8c33-fb52454d81c0', 'prebuilds@system', 'prebuilds', 'Prebuilds Owner', now(), now(),
'active', '{}', 'none', true);
-- Create function to check system user modifications
CREATE OR REPLACE FUNCTION prevent_system_user_changes()
RETURNS TRIGGER AS
$$
BEGIN
IF OLD.is_system = true THEN
RAISE EXCEPTION 'Cannot modify or delete system users';
END IF;
RETURN OLD;
END;
$$ LANGUAGE plpgsql;
-- Create trigger to prevent updates to system users
CREATE TRIGGER prevent_system_user_updates
BEFORE UPDATE ON users
FOR EACH ROW
WHEN (OLD.is_system = true)
EXECUTE FUNCTION prevent_system_user_changes();
-- Create trigger to prevent deletion of system users
CREATE TRIGGER prevent_system_user_deletions
BEFORE DELETE ON users
FOR EACH ROW
WHEN (OLD.is_system = true)
EXECUTE FUNCTION prevent_system_user_changes();
-- TODO: do we *want* to use the default org here? how do we handle multi-org?
WITH default_org AS (SELECT id
FROM organizations

View File

@ -823,6 +823,7 @@ func TestGroup(t *testing.T) {
t.Run("everyoneGroupReturnsEmpty", func(t *testing.T) {
// TODO (sasswart): this test seems to have drifted from its original intention. evaluate and remove/fix
// "everyone group returns empty", but it returns 5 members?
t.Parallel()
// TODO: we should not be returning the prebuilds user in Group, and this is not returned in dbmem.