fix: Fix nil-pointer deref on checkAuthorization (coder#5236)

mafredri · web-flow · commit 2ec3b09ca7e8 · 2022-12-01T18:42:10.000Z
Remove call to `err.Error()` on a `nil` error in `checkAuthorization`.
diff --git a/coderd/authorize.go b/coderd/authorize.go
@@ -192,9 +192,10 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			case rbac.ResourceGroup.Type:
 				dbObj, dbErr = api.Database.GetGroupByID(ctx, id)
 			default:
+				msg := fmt.Sprintf("Object type %q does not support \"resource_id\" field.", v.Object.ResourceType)
 				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-					Message:     fmt.Sprintf("Object type %q does not support \"resource_id\" field.", v.Object.ResourceType),
-					Validations: []codersdk.ValidationError{{Field: "resource_type", Detail: err.Error()}},
+					Message:     msg,
+					Validations: []codersdk.ValidationError{{Field: "resource_type", Detail: msg}},
 				})
 				return
 			}
@@ -206,7 +207,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			obj = dbObj.RBACObject()
 		}
 
-		err := api.Authorizer.ByRoleName(r.Context(), auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)
+		err := api.Authorizer.ByRoleName(ctx, auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)
 		response[k] = err == nil
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -192,9 +192,10 @@ func (api API) checkAuthorization(rw http.ResponseWriter, r http.Request) {`
`192`	`192`	`case rbac.ResourceGroup.Type:`
`193`	`193`	`dbObj, dbErr = api.Database.GetGroupByID(ctx, id)`
`194`	`194`	`default:`
	`195`	`+ msg := fmt.Sprintf("Object type %q does not support \"resource_id\" field.", v.Object.ResourceType)`
`195`	`196`	`httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{`
`196`		`- Message: fmt.Sprintf("Object type %q does not support \"resource_id\" field.", v.Object.ResourceType),`
`197`		`- Validations: []codersdk.ValidationError{{Field: "resource_type", Detail: err.Error()}},`
	`197`	`+ Message: msg,`
	`198`	`+ Validations: []codersdk.ValidationError{{Field: "resource_type", Detail: msg}},`
`198`	`199`	`})`
`199`	`200`	`return`
`200`	`201`	`}`
`@@ -206,7 +207,7 @@ func (api API) checkAuthorization(rw http.ResponseWriter, r http.Request) {`
`206`	`207`	`obj = dbObj.RBACObject()`
`207`	`208`	`}`
`208`	`209`
`209`		`- err := api.Authorizer.ByRoleName(r.Context(), auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)`
	`210`	`+ err := api.Authorizer.ByRoleName(ctx, auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)`
`210`	`211`	`response[k] = err == nil`
`211`	`212`	`}`
`212`	`213`