synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-08 11:39:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Validate template version name (#6804)

Browse Source 
* WIP

* Update

* Validation
This commit is contained in:
Marcin Tojek
2023-03-27 13:54:01 +02:00
committed by GitHub
parent e0cc4ee7f8
commit 8187992e7f
6 changed files with 105 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
coderd/database/dbauthz/querier.go
View File

@ -859,11 +859,22 @@ func (q *querier) UpdateTemplateScheduleByID(ctx context.Context, arg database.U
}
func (q *querier) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) (database.TemplateVersion, error) {
template, err := q.db.GetTemplateByID(ctx, arg.TemplateID.UUID)
// An actor is allowed to update the template version if they are authorized to update the template.
tv, err := q.db.GetTemplateVersionByID(ctx, arg.ID)
if err != nil {
return database.TemplateVersion{}, err
}
if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {
var obj rbac.Objecter
if !tv.TemplateID.Valid {
obj = rbac.ResourceTemplate.InOrg(tv.OrganizationID)
} else {
tpl, err := q.db.GetTemplateByID(ctx, tv.TemplateID.UUID)
if err != nil {
return database.TemplateVersion{}, err
}
obj = tpl
}
if err := q.authorizeContext(ctx, rbac.ActionUpdate, obj); err != nil {
return database.TemplateVersion{}, err
}
return q.db.UpdateTemplateVersionByID(ctx, arg)