synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: break down dbauthz.System into smaller roles (#6218)

Browse Source 
- rbac: export rbac.Permissions
- dbauthz: move GetDeploymentDAUs, GetTemplateDAUs,
  GetTemplateAverageBuildTime from querier.go to system.go
  and removes auth checks
- dbauthz: remove AsSystem(), add individual roles for
  autostart, provisionerd, add restricted system role for 
  everything else
This commit is contained in:
Cian Johnston
2023-02-15 16:14:37 +00:00
committed by GitHub
parent 84da6056b2
commit f0f39b4892
25 changed files with 180 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
coderd/users.go
View File

@ -38,8 +38,7 @@ import (
// @Router /users/first [get]
func (api *API) firstUser(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
//nolint:gocritic // needed for first user check
userCount, err := api.Database.GetUserCount(dbauthz.AsSystem(ctx))
userCount, err := api.Database.GetUserCount(ctx)
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Internal error fetching user count.",
@ -80,8 +79,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
}
// This should only function for the first user.
//nolint:gocritic // needed to create first user
userCount, err := api.Database.GetUserCount(dbauthz.AsSystem(ctx))
userCount, err := api.Database.GetUserCount(ctx)
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Internal error fetching user count.",
@ -122,7 +120,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
}
//nolint:gocritic // needed to create first user
user, organizationID, err := api.CreateUser(dbauthz.AsSystem(ctx), api.Database, CreateUserRequest{
user, organizationID, err := api.CreateUser(dbauthz.AsSystemRestricted(ctx), api.Database, CreateUserRequest{
CreateUserRequest: codersdk.CreateUserRequest{
Email: createUser.Email,
Username: createUser.Username,
@ -152,7 +150,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
// and add some rbac bypass when calling api functions this way??
// Add the admin role to this first user.
//nolint:gocritic // needed to create first user
_, err = api.Database.UpdateUserRoles(dbauthz.AsSystem(ctx), database.UpdateUserRolesParams{
_, err = api.Database.UpdateUserRoles(dbauthz.AsSystemRestricted(ctx), database.UpdateUserRolesParams{
GrantedRoles: []string{rbac.RoleOwner()},
ID: user.ID,
})