Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit015a6f9

Browse files
authored
fix: RBAC should default deny missing variables. (#5105)
* fix: RBAC should default deny missing variables.The default behavior was to use 'true' for missing variables. Thiswas an incorrect assumption. If the variable is missing, the newdefault is to deny (fail secure).* Assert 1 workspace is returned for the owners
1 parent1fcc7ca commit015a6f9

File tree

3 files changed

+11
-5
lines changed

3 files changed

+11
-5
lines changed

‎coderd/rbac/query.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -470,7 +470,7 @@ func (t opInternalMember2) SQLString(cfg SQLConfig) string {
470470
}
471471

472472
ifsqlType==VarTypeSkip {
473-
return"true"
473+
return"false"
474474
}
475475
}
476476

‎coderd/rbac/query_internal_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ func TestCompileQuery(t *testing.T) {
8484
`"*" in input.object.acl_group_list["4d30d4a8-b87d-45ac-b0d4-51b2e68e7e75"]`,
8585
))
8686
require.NoError(t,err,"compile")
87-
require.Equal(t,`true`,
87+
require.Equal(t,`false`,
8888
expression.SQLString(NoACLConfig()),"literal dereference")
8989
})
9090
}

‎coderd/workspaces_test.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -170,14 +170,20 @@ func TestAdminViewAllWorkspaces(t *testing.T) {
170170

171171
// This other user is not in the first user's org. Since other is an admin, they can
172172
// still see the "first" user's workspace.
173-
other:=coderdtest.CreateAnotherUser(t,client,otherOrg.ID,rbac.RoleOwner())
174-
otherWorkspaces,err:=other.Workspaces(ctx, codersdk.WorkspaceFilter{})
173+
otherOwner:=coderdtest.CreateAnotherUser(t,client,otherOrg.ID,rbac.RoleOwner())
174+
otherWorkspaces,err:=otherOwner.Workspaces(ctx, codersdk.WorkspaceFilter{})
175175
require.NoError(t,err,"(other) fetch workspaces")
176176

177-
firstWorkspaces,err:=other.Workspaces(ctx, codersdk.WorkspaceFilter{})
177+
firstWorkspaces,err:=client.Workspaces(ctx, codersdk.WorkspaceFilter{})
178178
require.NoError(t,err,"(first) fetch workspaces")
179179

180180
require.ElementsMatch(t,otherWorkspaces.Workspaces,firstWorkspaces.Workspaces)
181+
require.Equal(t,len(firstWorkspaces.Workspaces),1,"should be 1 workspace present")
182+
183+
memberView:=coderdtest.CreateAnotherUser(t,client,otherOrg.ID)
184+
memberViewWorkspaces,err:=memberView.Workspaces(ctx, codersdk.WorkspaceFilter{})
185+
require.NoError(t,err,"(member) fetch workspaces")
186+
require.Equal(t,0,len(memberViewWorkspaces.Workspaces),"member in other org should see 0 workspaces")
181187
}
182188

183189
funcTestPostWorkspacesByOrganization(t*testing.T) {

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp