@@ -1182,6 +1182,27 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)
11821182return nil
11831183}
11841184
1185+ func (q * querier )authorizeProvisionerJob (ctx context.Context ,job database.ProvisionerJob )error {
1186+ switch job .Type {
1187+ case database .ProvisionerJobTypeWorkspaceBuild :
1188+ // Authorized call to get workspace build. If we can read the build, we
1189+ // can read the job.
1190+ _ ,err := q .GetWorkspaceBuildByJobID (ctx ,job .ID )
1191+ if err != nil {
1192+ return xerrors .Errorf ("fetch related workspace build: %w" ,err )
1193+ }
1194+ case database .ProvisionerJobTypeTemplateVersionDryRun ,database .ProvisionerJobTypeTemplateVersionImport :
1195+ // Authorized call to get template version.
1196+ _ ,err := authorizedTemplateVersionFromJob (ctx ,q ,job )
1197+ if err != nil {
1198+ return xerrors .Errorf ("fetch related template version: %w" ,err )
1199+ }
1200+ default :
1201+ return xerrors .Errorf ("unknown job type: %q" ,job .Type )
1202+ }
1203+ return nil
1204+ }
1205+
11851206func (q * querier )AcquireLock (ctx context.Context ,id int64 )error {
11861207return q .db .AcquireLock (ctx ,id )
11871208}
@@ -2445,32 +2466,24 @@ func (q *querier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID) (data
24452466return database.ProvisionerJob {},err
24462467}
24472468
2448- switch job .Type {
2449- case database .ProvisionerJobTypeWorkspaceBuild :
2450- // Authorized call to get workspace build. If we can read the build, we
2451- // can read the job.
2452- _ ,err := q .GetWorkspaceBuildByJobID (ctx ,id )
2453- if err != nil {
2454- return database.ProvisionerJob {},xerrors .Errorf ("fetch related workspace build: %w" ,err )
2455- }
2456- case database .ProvisionerJobTypeTemplateVersionDryRun ,database .ProvisionerJobTypeTemplateVersionImport :
2457- // Authorized call to get template version.
2458- _ ,err := authorizedTemplateVersionFromJob (ctx ,q ,job )
2459- if err != nil {
2460- return database.ProvisionerJob {},xerrors .Errorf ("fetch related template version: %w" ,err )
2461- }
2462- default :
2463- return database.ProvisionerJob {},xerrors .Errorf ("unknown job type: %q" ,job .Type )
2469+ if err := q .authorizeProvisionerJob (ctx ,job );err != nil {
2470+ return database.ProvisionerJob {},err
24642471}
24652472
24662473return job ,nil
24672474}
24682475
24692476func (q * querier )GetProvisionerJobByIDForUpdate (ctx context.Context ,id uuid.UUID ) (database.ProvisionerJob ,error ) {
2470- if err := q .authorizeContext (ctx ,policy .ActionRead ,rbac .ResourceProvisionerJobs );err != nil {
2477+ job ,err := q .db .GetProvisionerJobByIDForUpdate (ctx ,id )
2478+ if err != nil {
24712479return database.ProvisionerJob {},err
24722480}
2473- return q .db .GetProvisionerJobByIDForUpdate (ctx ,id )
2481+
2482+ if err := q .authorizeProvisionerJob (ctx ,job );err != nil {
2483+ return database.ProvisionerJob {},err
2484+ }
2485+
2486+ return job ,nil
24742487}
24752488
24762489func (q * querier )GetProvisionerJobTimingsByJobID (ctx context.Context ,jobID uuid.UUID ) ([]database.ProvisionerJobTiming ,error ) {