mirror of
https://github.com/coder/coder.git
synced 2025-03-14 10:09:57 +00:00
prevent creation and modification of system users
This commit is contained in:
15
coderd/database/dump.sql
generated
15
coderd/database/dump.sql
generated
@ -445,6 +445,17 @@ BEGIN
|
||||
END;
|
||||
$$;
|
||||
|
||||
CREATE FUNCTION prevent_system_user_changes() RETURNS trigger
|
||||
LANGUAGE plpgsql
|
||||
AS $$
|
||||
BEGIN
|
||||
IF OLD.is_system = true THEN
|
||||
RAISE EXCEPTION 'Cannot modify or delete system users';
|
||||
END IF;
|
||||
RETURN OLD;
|
||||
END;
|
||||
$$;
|
||||
|
||||
CREATE FUNCTION protect_deleting_organizations() RETURNS trigger
|
||||
LANGUAGE plpgsql
|
||||
AS $$
|
||||
@ -2617,6 +2628,10 @@ CREATE OR REPLACE VIEW workspace_prebuilds AS
|
||||
|
||||
CREATE TRIGGER inhibit_enqueue_if_disabled BEFORE INSERT ON notification_messages FOR EACH ROW EXECUTE FUNCTION inhibit_enqueue_if_disabled();
|
||||
|
||||
CREATE TRIGGER prevent_system_user_deletions BEFORE DELETE ON users FOR EACH ROW WHEN ((old.is_system = true)) EXECUTE FUNCTION prevent_system_user_changes();
|
||||
|
||||
CREATE TRIGGER prevent_system_user_updates BEFORE UPDATE ON users FOR EACH ROW WHEN ((old.is_system = true)) EXECUTE FUNCTION prevent_system_user_changes();
|
||||
|
||||
CREATE TRIGGER protect_deleting_organizations BEFORE UPDATE ON organizations FOR EACH ROW WHEN (((new.deleted = true) AND (old.deleted = false))) EXECUTE FUNCTION protect_deleting_organizations();
|
||||
|
||||
CREATE TRIGGER remove_organization_member_custom_role BEFORE DELETE ON custom_roles FOR EACH ROW EXECUTE FUNCTION remove_organization_member_role();
|
||||
|
@ -3,6 +3,11 @@ DROP VIEW IF EXISTS workspace_prebuild_builds;
|
||||
DROP VIEW IF EXISTS workspace_prebuilds;
|
||||
DROP VIEW IF EXISTS workspace_latest_build;
|
||||
|
||||
-- Undo the restriction on deleting system users
|
||||
DROP TRIGGER IF EXISTS prevent_system_user_updates ON users;
|
||||
DROP TRIGGER IF EXISTS prevent_system_user_deletions ON users;
|
||||
DROP FUNCTION IF EXISTS prevent_system_user_changes();
|
||||
|
||||
-- Revert user operations
|
||||
-- c42fdf75-3097-471c-8c33-fb52454d81c0 is the identifier for the system user responsible for prebuilds.
|
||||
DELETE FROM user_status_changes WHERE user_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0';
|
||||
|
@ -3,6 +3,32 @@ INSERT INTO users (id, email, username, name, created_at, updated_at, status, rb
|
||||
VALUES ('c42fdf75-3097-471c-8c33-fb52454d81c0', 'prebuilds@system', 'prebuilds', 'Prebuilds Owner', now(), now(),
|
||||
'active', '{}', 'none', true);
|
||||
|
||||
-- Create function to check system user modifications
|
||||
CREATE OR REPLACE FUNCTION prevent_system_user_changes()
|
||||
RETURNS TRIGGER AS
|
||||
$$
|
||||
BEGIN
|
||||
IF OLD.is_system = true THEN
|
||||
RAISE EXCEPTION 'Cannot modify or delete system users';
|
||||
END IF;
|
||||
RETURN OLD;
|
||||
END;
|
||||
$$ LANGUAGE plpgsql;
|
||||
|
||||
-- Create trigger to prevent updates to system users
|
||||
CREATE TRIGGER prevent_system_user_updates
|
||||
BEFORE UPDATE ON users
|
||||
FOR EACH ROW
|
||||
WHEN (OLD.is_system = true)
|
||||
EXECUTE FUNCTION prevent_system_user_changes();
|
||||
|
||||
-- Create trigger to prevent deletion of system users
|
||||
CREATE TRIGGER prevent_system_user_deletions
|
||||
BEFORE DELETE ON users
|
||||
FOR EACH ROW
|
||||
WHEN (OLD.is_system = true)
|
||||
EXECUTE FUNCTION prevent_system_user_changes();
|
||||
|
||||
-- TODO: do we *want* to use the default org here? how do we handle multi-org?
|
||||
WITH default_org AS (SELECT id
|
||||
FROM organizations
|
||||
|
@ -823,6 +823,7 @@ func TestGroup(t *testing.T) {
|
||||
|
||||
t.Run("everyoneGroupReturnsEmpty", func(t *testing.T) {
|
||||
// TODO (sasswart): this test seems to have drifted from its original intention. evaluate and remove/fix
|
||||
// "everyone group returns empty", but it returns 5 members?
|
||||
t.Parallel()
|
||||
|
||||
// TODO: we should not be returning the prebuilds user in Group, and this is not returned in dbmem.
|
||||
|
Reference in New Issue
Block a user