fix: allow users to use quiet hours endpoint (#10547)

2025-07-13 21:36:50 +00:00 · 2023-11-06 23:16:50 +10:00
parent 95e5419626
commit bb5acb0332
2 changed files with 19 additions and 11 deletions
--- a/coderd/database/dbauthz/dbauthz.go
+++ b/coderd/database/dbauthz/dbauthz.go
@ -2653,10 +2653,14 @@ func (q *querier) UpdateUserProfile(ctx context.Context, arg database.UpdateUser
 }

 func (q *querier) UpdateUserQuietHoursSchedule(ctx context.Context, arg database.UpdateUserQuietHoursScheduleParams) (database.User, error) {
-	fetch := func(ctx context.Context, arg database.UpdateUserQuietHoursScheduleParams) (database.User, error) {
-		return q.db.GetUserByID(ctx, arg.ID)
+	u, err := q.db.GetUserByID(ctx, arg.ID)
+	if err != nil {
+		return database.User{}, err
 	}
-	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateUserQuietHoursSchedule)(ctx, arg)
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, u.UserDataRBACObject()); err != nil {
+		return database.User{}, err
+	}
+	return q.db.UpdateUserQuietHoursSchedule(ctx, arg)
 }

 // UpdateUserRoles updates the site roles of a user. The validation for this function include more than
--- a/enterprise/coderd/users_test.go
+++ b/enterprise/coderd/users_test.go
@ -37,7 +37,7 @@ func TestUserQuietHours(t *testing.T) {
 		dv.UserQuietHoursSchedule.DefaultSchedule.Set(defaultQuietHoursSchedule)
 		dv.Experiments.Set(string(codersdk.ExperimentTemplateAutostopRequirement))

-		client, user := coderdenttest.New(t, &coderdenttest.Options{
+		adminClient, adminUser := coderdenttest.New(t, &coderdenttest.Options{
 			Options: &coderdtest.Options{
 				DeploymentValues: dv,
 			},
@ -49,6 +49,10 @@ func TestUserQuietHours(t *testing.T) {
 			},
 		})

+		// Do it with another user to make sure that we're not hitting RBAC
+		// errors.
+		client, user := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID)
+
 		// Get quiet hours for a user that doesn't have them set.
 		ctx := testutil.Context(t, testutil.WaitLong)
 		sched1, err := client.UserQuietHoursSchedule(ctx, codersdk.Me)
@ -72,7 +76,7 @@ func TestUserQuietHours(t *testing.T) {
 			require.NoError(t, err)
 		}

-		sched2, err := client.UpdateUserQuietHoursSchedule(ctx, user.UserID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
+		sched2, err := client.UpdateUserQuietHoursSchedule(ctx, user.ID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
 			Schedule: customQuietHoursSchedule,
 		})
 		require.NoError(t, err)
@ -83,7 +87,7 @@ func TestUserQuietHours(t *testing.T) {
 		require.WithinDuration(t, customScheduleParsed.Next(time.Now()), sched2.Next, 15*time.Second)

 		// Get quiet hours for a user that has them set.
-		sched3, err := client.UserQuietHoursSchedule(ctx, user.UserID.String())
+		sched3, err := client.UserQuietHoursSchedule(ctx, user.ID.String())
 		require.NoError(t, err)
 		require.Equal(t, customScheduleParsed.String(), sched3.RawSchedule)
 		require.True(t, sched3.UserSet)
@ -92,33 +96,33 @@ func TestUserQuietHours(t *testing.T) {
 		require.WithinDuration(t, customScheduleParsed.Next(time.Now()), sched3.Next, 15*time.Second)

 		// Try setting a garbage schedule.
-		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.UserID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
+		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.ID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
 			Schedule: "garbage",
 		})
 		require.Error(t, err)
 		require.ErrorContains(t, err, "parse daily schedule")

 		// Try setting a non-daily schedule.
-		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.UserID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
+		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.ID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
 			Schedule: "CRON_TZ=America/Chicago 0 0 * * 1",
 		})
 		require.Error(t, err)
 		require.ErrorContains(t, err, "parse daily schedule")

 		// Try setting a schedule with a timezone that doesn't exist.
-		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.UserID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
+		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.ID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
 			Schedule: "CRON_TZ=Deans/House 0 0 * * *",
 		})
 		require.Error(t, err)
 		require.ErrorContains(t, err, "parse daily schedule")

 		// Try setting a schedule with more than one time.
-		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.UserID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
+		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.ID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
 			Schedule: "CRON_TZ=America/Chicago 0 0,12 * * *",
 		})
 		require.Error(t, err)
 		require.ErrorContains(t, err, "more than one time")
-		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.UserID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
+		_, err = client.UpdateUserQuietHoursSchedule(ctx, user.ID.String(), codersdk.UpdateUserQuietHoursScheduleRequest{
 			Schedule: "CRON_TZ=America/Chicago 0-30 0 * * *",
 		})
 		require.Error(t, err)