We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see ourdocumentation.
There was an error while loading.Please reload this page.
1 parentc05a5de commit60faeb9Copy full SHA for 60faeb9
coderd/workspaceagents.go
@@ -1580,6 +1580,15 @@ func (api *API) workspaceAgentsExternalAuth(rw http.ResponseWriter, r *http.Requ
1580
return
1581
}
1582
1583
+// Pre-check if the caller can read the external auth links for the owner of the
1584
+// workspace. Do this up front because a sql.ErrNoRows is expected if the user is
1585
+// in the flow of authenticating. If no row is present, the auth check is delayed
1586
+// until the user authenticates. It is preferred to reject early.
1587
+if!api.Authorize(r,policy.ActionReadPersonal,rbac.ResourceUserObject(workspace.OwnerID)) {
1588
+httpapi.Forbidden(rw)
1589
+return
1590
+}
1591
+
1592
varpreviousToken*database.ExternalAuthLink
1593
// handleRetrying will attempt to continually check for a new token
1594
// if listen is true. This is useful if an error is encountered in the