feat: Implement RBAC checks on /templates endpoints (#1678)

* feat: Generic Filter method for rbac objects
2025-07-03 16:13:58 +00:00 · 2022-05-24 08:43:34 -05:00
parent fcd610ee7b
commit c7ca86d374
11 changed files with 221 additions and 73 deletions
--- a/coderd/rbac/authz.go
+++ b/coderd/rbac/authz.go
@ -3,7 +3,6 @@ package rbac
 import (
 	"context"
 	_ "embed"
-
 	"golang.org/x/xerrors"

 	"github.com/open-policy-agent/opa/rego"
@ -13,6 +12,24 @@ type Authorizer interface {
 	ByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, object Object) error
 }

+// Filter takes in a list of objects, and will filter the list removing all
+// the elements the subject does not have permission for.
+// Filter does not allocate a new slice, and will use the existing one
+// passed in. This can cause memory leaks if the slice is held for a prolonged
+// period of time.
+func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, action Action, objects []O) []O {
+	filtered := make([]O, 0)
+
+	for i := range objects {
+		object := objects[i]
+		err := auth.ByRoleName(ctx, subjID, subjRoles, action, object.RBACObject())
+		if err == nil {
+			filtered = append(filtered, object)
+		}
+	}
+	return filtered
+}
+
 // RegoAuthorizer will use a prepared rego query for performing authorize()
 type RegoAuthorizer struct {
 	query rego.PreparedEvalQuery