mirror of
https://github.com/coder/coder.git
synced 2025-07-15 22:20:27 +00:00
chore: push GetUsers authorization filter to SQL (#8497)
* feat: push GetUsers filter to SQL * Remove GetAuthorizedUserFilter * Remove GetFilteredUserCount * remove GetUsersWithCount
This commit is contained in:
@ -586,32 +586,6 @@ func (q *querier) SoftDeleteTemplateByID(ctx context.Context, id uuid.UUID) erro
|
||||
return deleteQ(q.log, q.auth, q.db.GetTemplateByID, deleteF)(ctx, id)
|
||||
}
|
||||
|
||||
func (q *querier) GetUsersWithCount(ctx context.Context, arg database.GetUsersParams) ([]database.User, int64, error) {
|
||||
// TODO Implement this with a SQL filter. The count is incorrect without it.
|
||||
rowUsers, err := q.db.GetUsers(ctx, arg)
|
||||
if err != nil {
|
||||
return nil, -1, err
|
||||
}
|
||||
|
||||
if len(rowUsers) == 0 {
|
||||
return []database.User{}, 0, nil
|
||||
}
|
||||
|
||||
act, ok := ActorFromContext(ctx)
|
||||
if !ok {
|
||||
return nil, -1, NoActorError
|
||||
}
|
||||
|
||||
// TODO: Is this correct? Should we return a restricted user?
|
||||
users := database.ConvertUserRows(rowUsers)
|
||||
users, err = rbac.Filter(ctx, q.auth, act, rbac.ActionRead, users)
|
||||
if err != nil {
|
||||
return nil, -1, err
|
||||
}
|
||||
|
||||
return users, rowUsers[0].Count, nil
|
||||
}
|
||||
|
||||
func (q *querier) SoftDeleteUserByID(ctx context.Context, id uuid.UUID) error {
|
||||
deleteF := func(ctx context.Context, id uuid.UUID) error {
|
||||
return q.db.UpdateUserDeletedByID(ctx, database.UpdateUserDeletedByIDParams{
|
||||
@ -904,15 +878,6 @@ func (q *querier) GetFileTemplates(ctx context.Context, fileID uuid.UUID) ([]dat
|
||||
return q.db.GetFileTemplates(ctx, fileID)
|
||||
}
|
||||
|
||||
func (q *querier) GetFilteredUserCount(ctx context.Context, arg database.GetFilteredUserCountParams) (int64, error) {
|
||||
prep, err := prepareSQLFilter(ctx, q.auth, rbac.ActionRead, rbac.ResourceUser.Type)
|
||||
if err != nil {
|
||||
return -1, xerrors.Errorf("(dev error) prepare sql filter: %w", err)
|
||||
}
|
||||
// TODO: This should be the only implementation.
|
||||
return q.GetAuthorizedUserCount(ctx, arg, prep)
|
||||
}
|
||||
|
||||
func (q *querier) GetGitAuthLink(ctx context.Context, arg database.GetGitAuthLinkParams) (database.GitAuthLink, error) {
|
||||
return fetch(q.log, q.auth, q.db.GetGitAuthLink)(ctx, arg)
|
||||
}
|
||||
@ -1389,8 +1354,12 @@ func (q *querier) GetUserLinkByUserIDLoginType(ctx context.Context, arg database
|
||||
}
|
||||
|
||||
func (q *querier) GetUsers(ctx context.Context, arg database.GetUsersParams) ([]database.GetUsersRow, error) {
|
||||
// TODO: We should use GetUsersWithCount with a better method signature.
|
||||
return fetchWithPostFilter(q.auth, q.db.GetUsers)(ctx, arg)
|
||||
// This does the filtering in SQL.
|
||||
prep, err := prepareSQLFilter(ctx, q.auth, rbac.ActionRead, rbac.ResourceUser.Type)
|
||||
if err != nil {
|
||||
return nil, xerrors.Errorf("(dev error) prepare sql filter: %w", err)
|
||||
}
|
||||
return q.db.GetAuthorizedUsers(ctx, arg, prep)
|
||||
}
|
||||
|
||||
// GetUsersByIDs is only used for usernames on workspace return data.
|
||||
@ -2639,6 +2608,9 @@ func (q *querier) GetAuthorizedWorkspaces(ctx context.Context, arg database.GetW
|
||||
return q.GetWorkspaces(ctx, arg)
|
||||
}
|
||||
|
||||
func (q *querier) GetAuthorizedUserCount(ctx context.Context, arg database.GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error) {
|
||||
return q.db.GetAuthorizedUserCount(ctx, arg, prepared)
|
||||
// GetAuthorizedUsers is not required for dbauthz since GetUsers is already
|
||||
// authenticated.
|
||||
func (q *querier) GetAuthorizedUsers(ctx context.Context, arg database.GetUsersParams, _ rbac.PreparedAuthorized) ([]database.GetUsersRow, error) {
|
||||
// GetUsers is authenticated.
|
||||
return q.GetUsers(ctx, arg)
|
||||
}
|
||||
|
Reference in New Issue
Block a user