checkpoint: one passing test

johnstcn · johnstcn · commit 629d31503f6e · 2022-04-07T14:50:54.000Z
diff --git a/coderd/authz/authz.go b/coderd/authz/authz.go
@@ -1,10 +1,20 @@
 package authz
 
-import "github.com/coder/coder/coderd/authz/rbac"
+import (
+	"errors"
+
+	"github.com/coder/coder/coderd/authz/rbac"
+)
+
+var ErrUnauthorized = errors.New("unauthorized")
 
 // TODO: Implement Authorize
-func Authorize(subj Subject, obj Resource, action rbac.Operation) error {
+func Authorize(subj Subject, res Resource, action rbac.Operation) error {
 	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
 
-	return nil
+	if SiteEnforcer.RolesHavePermission(subj.Roles(), res.ResourceType(), action) {
+		return nil
+	}
+
+	return ErrUnauthorized
 }
diff --git a/coderd/authz/subject.go b/coderd/authz/subject.go
@@ -13,7 +13,7 @@ type Subject interface {
 	// object, we can assume the object is owned by this subject.
 	ID() string
 
-	Roles() (rbac.Roles, error)
+	Roles() rbac.Roles
 
 	// OrgRoles only need to be returned for the organization in question.
 	// This is because users typically belong to more than 1 organization,
@@ -38,8 +38,8 @@ func (s SubjectTODO) ID() string {
 	return s.UserID
 }
 
-func (s SubjectTODO) Roles() (rbac.Roles, error) {
-	return s.Site, nil
+func (s SubjectTODO) Roles() rbac.Roles {
+	return s.Site
 }
 
 func (s SubjectTODO) OrgRoles(_ context.Context, orgID string) (rbac.Roles, error) {
