@@ -1248,22 +1248,28 @@ func (q *querier) GetApplicationName(ctx context.Context) (string, error) {
12481248}
12491249
12501250func (q * querier )GetAuditLogsOffset (ctx context.Context ,arg database.GetAuditLogsOffsetParams ) ([]database.GetAuditLogsOffsetRow ,error ) {
1251- // To optimize the authz checks for audit logs, do not run an authorize
1252- // check on each individual audit log row. In practice, audit logs are either
1253- // fetched from a global or an organization scope.
1254- // Applying a SQL filter would slow down the query for no benefit on how this query is
1255- // actually used.
1256-
1257- object := rbac .ResourceAuditLog
1258- if arg .OrganizationID != uuid .Nil {
1259- object = object .InOrg (arg .OrganizationID )
1251+ //// To optimize the authz checks for audit logs, do not run an authorize
1252+ //// check on each individual audit log row. In practice, audit logs are either
1253+ //// fetched from a global or an organization scope.
1254+ //// Applying a SQL filter would slow down the query for no benefit on how this query is
1255+ //// actually used.
1256+ //
1257+ //object := rbac.ResourceAuditLog
1258+ //if arg.OrganizationID != uuid.Nil {
1259+ //object = object.InOrg(arg.OrganizationID)
1260+ //}
1261+ //
1262+ //if err := q.authorizeContext(ctx, policy.ActionRead, object); err != nil {
1263+ //return nil, err
1264+ //}
1265+
1266+ prep ,err := prepareSQLFilter (ctx ,q .auth ,policy .ActionRead ,rbac .ResourceAuditLog .Type )
1267+ if err != nil {
1268+ return nil ,xerrors .Errorf ("(dev error) prepare sql filter: %w" ,err )
12601269}
12611270
1262- if err := q .authorizeContext (ctx ,policy .ActionRead ,object );err != nil {
1263- return nil ,err
1264- }
12651271
1266- return q .db .GetAuditLogsOffset (ctx ,arg )
1272+ return q .db .GetAuthorizedAuditLogsOffset (ctx ,arg , prep )
12671273}
12681274
12691275func (q * querier )GetAuthorizationUserRoles (ctx context.Context ,userID uuid.UUID ) (database.GetAuthorizationUserRolesRow ,error ) {