mirror of
https://github.com/coder/coder.git
synced 2025-07-03 16:13:58 +00:00
f0f39b4892
- rbac: export rbac.Permissions - dbauthz: move GetDeploymentDAUs, GetTemplateDAUs, GetTemplateAverageBuildTime from querier.go to system.go and removes auth checks - dbauthz: remove AsSystem(), add individual roles for autostart, provisionerd, add restricted system role for everything else
112 lines
3.1 KiB
Go
112 lines
3.1 KiB
Go
package httpmw
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"net/http"
|
|
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/google/uuid"
|
|
|
|
"github.com/coder/coder/coderd/database"
|
|
"github.com/coder/coder/coderd/database/dbauthz"
|
|
"github.com/coder/coder/coderd/httpapi"
|
|
"github.com/coder/coder/codersdk"
|
|
)
|
|
|
|
type userParamContextKey struct{}
|
|
|
|
const (
|
|
// userErrorMessage is a constant so that no information about the state
|
|
// of the queried user can be gained. We return the same error if the user
|
|
// does not exist, or if the input is just garbage.
|
|
userErrorMessage = "\"user\" must be an existing uuid or username."
|
|
)
|
|
|
|
// UserParam returns the user from the ExtractUserParam handler.
|
|
func UserParam(r *http.Request) database.User {
|
|
user, ok := r.Context().Value(userParamContextKey{}).(database.User)
|
|
if !ok {
|
|
panic("developer error: user parameter middleware not provided")
|
|
}
|
|
return user
|
|
}
|
|
|
|
// ExtractUserParam extracts a user from an ID/username in the {user} URL
|
|
// parameter.
|
|
//
|
|
//nolint:revive
|
|
func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
var (
|
|
ctx = r.Context()
|
|
user database.User
|
|
err error
|
|
)
|
|
|
|
// userQuery is either a uuid, a username, or 'me'
|
|
userQuery := chi.URLParam(r, "user")
|
|
if userQuery == "" {
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
|
Message: "\"user\" must be provided.",
|
|
})
|
|
return
|
|
}
|
|
|
|
if userQuery == "me" {
|
|
apiKey, ok := APIKeyOptional(r)
|
|
if !ok {
|
|
if redirectToLoginOnMe {
|
|
RedirectToLogin(rw, r, SignedOutErrorMessage)
|
|
return
|
|
}
|
|
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
|
Message: "Cannot use \"me\" without a valid session.",
|
|
})
|
|
return
|
|
}
|
|
//nolint:gocritic // System needs to be able to get user from param.
|
|
user, err = db.GetUserByID(dbauthz.AsSystemRestricted(ctx), apiKey.UserID)
|
|
if xerrors.Is(err, sql.ErrNoRows) {
|
|
httpapi.ResourceNotFound(rw)
|
|
return
|
|
}
|
|
if err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
|
|
Message: "Internal error fetching user.",
|
|
Detail: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
} else if userID, err := uuid.Parse(userQuery); err == nil {
|
|
//nolint:gocritic // If the userQuery is a valid uuid
|
|
user, err = db.GetUserByID(dbauthz.AsSystemRestricted(ctx), userID)
|
|
if err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
|
Message: userErrorMessage,
|
|
})
|
|
return
|
|
}
|
|
} else {
|
|
// nolint:gocritic // Try as a username last
|
|
user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{
|
|
Username: userQuery,
|
|
})
|
|
if err != nil {
|
|
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
|
|
Message: userErrorMessage,
|
|
})
|
|
return
|
|
}
|
|
}
|
|
|
|
ctx = context.WithValue(ctx, userParamContextKey{}, user)
|
|
next.ServeHTTP(rw, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|