Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 877a176

Browse files
EmyrkEmyrk
committed
chore: enforce tpl use in dbauthz
1 parent 8a5dd8e commit 877a176

File tree

2 files changed

+20
-12
lines changed

2 files changed

+20
-12
lines changed

coderd/database/dbauthz/dbauthz.go

+8
Original file line numberDiff line numberDiff line change
@@ -3158,6 +3158,14 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin
31583158

31593159
func (q *querier) InsertWorkspace(ctx context.Context, arg database.InsertWorkspaceParams) (database.WorkspaceTable, error) {
31603160
obj := rbac.ResourceWorkspace.WithOwner(arg.OwnerID.String()).InOrg(arg.OrganizationID)
3161+
tpl, err := q.GetTemplateByID(ctx, arg.TemplateID)
3162+
if err != nil {
3163+
return database.WorkspaceTable{}, xerrors.Errorf("verify template by id: %w", err)
3164+
}
3165+
if err := q.authorizeContext(ctx, policy.ActionUse, tpl); err != nil {
3166+
return database.WorkspaceTable{}, xerrors.Errorf("use template for workspace: %w", err)
3167+
}
3168+
31613169
return insert(q.log, q.auth, obj, q.db.InsertWorkspace)(ctx, arg)
31623170
}
31633171

coderd/workspaces.go

+12-12
Original file line numberDiff line numberDiff line change
@@ -515,18 +515,6 @@ func createWorkspace(
515515
return
516516
}
517517

518-
// The user also needs permission to use the template. At this point they have
519-
// read perms, but not necessarily "use"
520-
if !api.Authorize(r, policy.ActionUse, template) {
521-
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
522-
Message: fmt.Sprintf("Unauthorized access to use the template %q.", template.Name),
523-
Detail: "Although you are able to view the template, you are unable to create a workspace using it. " +
524-
"Please contact an administrator about your permissions if you feel this is an error.",
525-
Validations: nil,
526-
})
527-
return
528-
}
529-
530518
// Update audit log's organization
531519
auditReq.UpdateOrganizationID(template.OrganizationID)
532520

@@ -537,6 +525,18 @@ func createWorkspace(
537525
httpapi.ResourceNotFound(rw)
538526
return
539527
}
528+
// The user also needs permission to use the template. At this point they have
529+
// read perms, but not necessarily "use". This is also checked in `db.InsertWorkspace`.
530+
// Doing this up front can save some work below if the user doesn't have permission.
531+
if !api.Authorize(r, policy.ActionUse, template) {
532+
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
533+
Message: fmt.Sprintf("Unauthorized access to use the template %q.", template.Name),
534+
Detail: "Although you are able to view the template, you are unable to create a workspace using it. " +
535+
"Please contact an administrator about your permissions if you feel this is an error.",
536+
Validations: nil,
537+
})
538+
return
539+
}
540540

541541
templateAccessControl := (*(api.AccessControlStore.Load())).GetTemplateAccessControl(template)
542542
if templateAccessControl.IsDeprecated() {

0 commit comments

Comments
 (0)