NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit16d0869

committed

frobulating happily together

1 parentd24bf88 commit16d0869Copy full SHA for 16d0869

File tree

4 files changed

+17

-22

lines changed

coderd
- database
  - dbauthz
    - dbauthz.go
  - modelmethods.go
- frobulators.go
- rbac
  - roles.go

4 files changed

+17

-22

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 10 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -2060,10 +2060,16 @@ func (q *querier) GetUserCount(ctx context.Context) (int64, error) {`
`2060`	`2060`	`}`
`2061`	`2061`
`2062`	`2062`	`func (q*querier)GetUserFrobulators(ctx context.Context,userID uuid.UUID) ([]database.Frobulator,error) {`
`2063`		`-iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceFrobulator.WithOwner(userID.String()));err!=nil {`
`2064`		`-returnnil,err`
`2065`		`-}`
`2066`		`-returnq.db.GetUserFrobulators(ctx,userID)`
	`2063`	`+returnfetchWithPostFilter(q.auth,policy.ActionRead,q.db.GetUserFrobulators)(ctx,userID)`
	`2064`	`+// Alternatively: just check if you can read a Frobulator owned by your ID.`
	`2065`	`+// This is technically incorrect, as if Frobulators later become org-scoped, this will no longer be correct!`
	`2066`	`+// But it's much, much faster .`
	`2067`	`+/*`
	`2068`	`+if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceFrobulator.WithOwner(userID.String())); err != nil {`
	`2069`	`+return nil, err`
	`2070`	`+}`
	`2071`	`+return q.db.GetUserFrobulators(ctx, userID)`
	`2072`	`+*/`
`2067`	`2073`	`}`
`2068`	`2074`
`2069`	`2075`	`func (q*querier)GetUserLatencyInsights(ctx context.Context,arg database.GetUserLatencyInsightsParams) ([]database.GetUserLatencyInsightsRow,error) {`

`‎coderd/database/modelmethods.go`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,10 @@ func (k APIKey) RBACObject() rbac.Object {`
`117`	`117`	`WithOwner(k.UserID.String())`
`118`	`118`	`}`
`119`	`119`
	`120`	`+func (fFrobulator)RBACObject() rbac.Object {`
	`121`	`+returnrbac.ResourceFrobulator.WithID(f.ID).WithOwner(f.UserID.String())`
	`122`	`+}`
	`123`	`+`
`120`	`124`	`func (tTemplate)RBACObject() rbac.Object {`
`121`	`125`	`returnrbac.ResourceTemplate.WithID(t.ID).`
`122`	`126`	`InOrg(t.OrganizationID).`

`‎coderd/frobulators.go`

Lines changed: 0 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@ import (`
`8`	`8`	`"github.com/coder/coder/v2/coderd/database"`
`9`	`9`	`"github.com/coder/coder/v2/coderd/httpapi"`
`10`	`10`	`"github.com/coder/coder/v2/coderd/httpmw"`
`11`		`-"github.com/coder/coder/v2/coderd/rbac"`
`12`		`-"github.com/coder/coder/v2/coderd/rbac/policy"`
`13`	`11`	`"github.com/coder/coder/v2/codersdk"`
`14`	`12`	`)`
`15`	`13`
`@@ -26,10 +24,6 @@ import (`
`26`	`24`	`func (apiAPI)createFrobulator(rw http.ResponseWriter,rhttp.Request) {`
`27`	`25`	`ctx:=r.Context()`
`28`	`26`	`user:=httpmw.UserParam(r)`
`29`		`-if!api.Authorize(r,policy.ActionCreate,rbac.ResourceFrobulator.WithOwner(user.ID.String())) {`
`30`		`-httpapi.Forbidden(rw)`
`31`		`-return`
`32`		`-}`
`33`	`27`
`34`	`28`	`varreq codersdk.InsertFrobulatorRequest`
`35`	`29`	`if!httpapi.Read(ctx,rw,r,&req) {`
`@@ -60,12 +54,6 @@ func (api API) createFrobulator(rw http.ResponseWriter, r http.Request) {`
`60`	`54`	`// @Router /frobulators/{user} [get]`
`61`	`55`	`func (apiAPI)listUserFrobulators(rw http.ResponseWriter,rhttp.Request) {`
`62`	`56`	`ctx:=r.Context()`
`63`		`-key:=httpmw.APIKey(r)`
`64`		`-if!api.Authorize(r,policy.ActionRead,rbac.ResourceFrobulator.WithOwner(key.UserID.String())) {`
`65`		`-httpapi.Forbidden(rw)`
`66`		`-return`
`67`		`-}`
`68`		`-`
`69`	`57`	`user:=httpmw.UserParam(r)`
`70`	`58`	`frobs,err:=api.Database.GetUserFrobulators(ctx,user.ID)`
`71`	`59`	`iferr!=nil {`
`@@ -94,10 +82,6 @@ func (api API) listUserFrobulators(rw http.ResponseWriter, r http.Request) {`
`94`	`82`	`// @Router /frobulators [get]`
`95`	`83`	`func (apiAPI)listAllFrobulators(rw http.ResponseWriter,rhttp.Request) {`
`96`	`84`	`ctx:=r.Context()`
`97`		`-if!api.Authorize(r,policy.ActionRead,rbac.ResourceFrobulator) {`
`98`		`-httpapi.Forbidden(rw)`
`99`		`-return`
`100`		`-}`
`101`	`85`
`102`	`86`	`frobs,err:=api.Database.GetAllFrobulators(ctx)`
`103`	`87`	`iferr!=nil {`

`‎coderd/rbac/roles.go`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -310,6 +310,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`310`	`310`	`ResourceDeploymentConfig.Type: {policy.ActionRead},`
`311`	`311`	`// Org roles are not really used yet, so grant the perm at the site level.`
`312`	`312`	`ResourceOrganizationMember.Type: {policy.ActionRead},`
	`313`	`+// The site-wide auditor is allowed to read all frobulators, regardless of who owns them.`
	`314`	`+ResourceFrobulator.Type: {policy.ActionRead},`
`313`	`315`	`}),`
`314`	`316`	`Org:map[string][]Permission{},`
`315`	`317`	`User: []Permission{},`
`@@ -439,8 +441,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`439`	`441`	`Site: []Permission{},`
`440`	`442`	`Org:map[string][]Permission{`
`441`	`443`	`organizationID.String():Permissions(map[string][]policy.Action{`
`442`		`-ResourceAuditLog.Type: {policy.ActionRead},`
`443`		`-ResourceFrobulator.Type: {policy.ActionRead},`
	`444`	`+ResourceAuditLog.Type: {policy.ActionRead},`
`444`	`445`	`}),`
`445`	`446`	`},`
`446`	`447`	`User: []Permission{},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit16d0869

File tree

4 files changed

4 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/modelmethods.go`

`‎coderd/frobulators.go`

`‎coderd/rbac/roles.go`

0 commit comments