NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit422e044

authored

chore: forbidden error on create workspace without permissions (#14347)

Multi-org enables the possibility of a user having template permissions,but not workspace create permissions. The unauthorized error should bereturned instead of a 404. This does not leak any information the usercannot already obtain.

1 parentc3ef7dc commit422e044Copy full SHA for 422e044

File tree

1 file changed

+16

-7

lines changed

coderd
- workspaces.go

1 file changed

+16

-7

lines changed

`‎coderd/workspaces.go`

Lines changed: 16 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -374,13 +374,6 @@ func (api API) postWorkspacesByOrganization(rw http.ResponseWriter, r http.Req`
`374`	`374`
`375`	`375`	`defercommitAudit()`
`376`	`376`
`377`		`-// Do this upfront to save work.`
`378`		`-if!api.Authorize(r,policy.ActionCreate,`
`379`		`-rbac.ResourceWorkspace.InOrg(organization.ID).WithOwner(member.UserID.String())) {`
`380`		`-httpapi.ResourceNotFound(rw)`
`381`		`-return`
`382`		`-}`
`383`		`-`
`384`	`377`	`varreq codersdk.CreateWorkspaceRequest`
`385`	`378`	`if!httpapi.Read(ctx,rw,r,&req) {`
`386`	`379`	`return`
`@@ -522,6 +515,22 @@ func createWorkspace(`
`522`	`515`	`return`
`523`	`516`	`}`
`524`	`517`
	`518`	`+// This is a premature auth check to avoid doing unnecessary work if the user`
	`519`	`+// doesn't have permission to create a workspace.`
	`520`	`+if!api.Authorize(r,policy.ActionCreate,`
	`521`	`+rbac.ResourceWorkspace.InOrg(template.OrganizationID).WithOwner(owner.ID.String())) {`
	`522`	`+// If this check fails, return a proper unauthorized error to the user to indicate`
	`523`	`+// what is going on.`
	`524`	`+httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
	`525`	`+Message:"Unauthorized to create workspace.",`
	`526`	`+Detail:"You are unable to create a workspace in this organization. "+`
	`527`	`+"It is possible to have access to the template, but not be able to create a workspace. "+`
	`528`	`+"Please contact an administrator about your permissions if you feel this is an error.",`
	`529`	`+Validations:nil,`
	`530`	`+})`
	`531`	`+return`
	`532`	`+}`
	`533`	`+`
`525`	`534`	`// Update audit log's organization`
`526`	`535`	`auditReq.UpdateOrganizationID(template.OrganizationID)`
`527`	`536`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit422e044

File tree

1 file changed

1 file changed

`‎coderd/workspaces.go`

0 commit comments