synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: stop leaking User into API handlers unless authorized

Browse Source 
Fixes an issue where we extracted the `{user}` parameter from the URL and added it to the API Handler context regardless of whether the caller had permission to read the User.
This commit is contained in:
Spike Curtis
2023-10-11 09:41:14 +04:00
committed by GitHub
parent fbabb43cbb
commit 7c71053eab
6 changed files with 43 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
coderd/users_test.go
View File

@ -326,7 +326,7 @@ func TestDeleteUser(t *testing.T) {
err := client.DeleteUser(context.Background(), firstUser.UserID)
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
})
t.Run("HasWorkspaces", func(t *testing.T) {
t.Parallel()
@ -930,7 +930,7 @@ func TestGrantSiteRoles(t *testing.T) {
AssignToUser: first.UserID.String(),
Roles: []string{},
Error: true,
StatusCode: http.StatusForbidden,
StatusCode: http.StatusBadRequest,
},
{
// Cannot update your own roles