@@ -575,11 +575,6 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r
575575 return nil
576576}
577577
578- func (q * querier ) GetAuthorizedTemplates (ctx context.Context , arg database.GetTemplatesWithFilterParams , _ rbac.PreparedAuthorized ) ([]database.Template , error ) {
579- // TODO Delete this function, all GetTemplates should be authorized. For now just call getTemplates on the authz querier.
580- return q .GetTemplatesWithFilter (ctx , arg )
581- }
582-
583578func (q * querier ) SoftDeleteTemplateByID (ctx context.Context , id uuid.UUID ) error {
584579 deleteF := func (ctx context.Context , id uuid.UUID ) error {
585580 return q .db .UpdateTemplateDeletedByID (ctx , database.UpdateTemplateDeletedByIDParams {
@@ -591,30 +586,6 @@ func (q *querier) SoftDeleteTemplateByID(ctx context.Context, id uuid.UUID) erro
591586 return deleteQ (q .log , q .auth , q .db .GetTemplateByID , deleteF )(ctx , id )
592587}
593588
594- func (q * querier ) GetTemplateGroupRoles (ctx context.Context , id uuid.UUID ) ([]database.TemplateGroup , error ) {
595- // An actor is authorized to read template group roles if they are authorized to read the template.
596- template , err := q .db .GetTemplateByID (ctx , id )
597- if err != nil {
598- return nil , err
599- }
600- if err := q .authorizeContext (ctx , rbac .ActionRead , template ); err != nil {
601- return nil , err
602- }
603- return q .db .GetTemplateGroupRoles (ctx , id )
604- }
605-
606- func (q * querier ) GetTemplateUserRoles (ctx context.Context , id uuid.UUID ) ([]database.TemplateUser , error ) {
607- // An actor is authorized to query template user roles if they are authorized to read the template.
608- template , err := q .db .GetTemplateByID (ctx , id )
609- if err != nil {
610- return nil , err
611- }
612- if err := q .authorizeContext (ctx , rbac .ActionRead , template ); err != nil {
613- return nil , err
614- }
615- return q .db .GetTemplateUserRoles (ctx , id )
616- }
617-
618589func (q * querier ) GetUsersWithCount (ctx context.Context , arg database.GetUsersParams ) ([]database.User , int64 , error ) {
619590 // q.GetUsers only returns authorized users
620591 rowUsers , err := q .GetUsers (ctx , arg )
@@ -640,11 +611,6 @@ func (q *querier) SoftDeleteUserByID(ctx context.Context, id uuid.UUID) error {
640611 return deleteQ (q .log , q .auth , q .db .GetUserByID , deleteF )(ctx , id )
641612}
642613
643- func (q * querier ) GetAuthorizedWorkspaces (ctx context.Context , arg database.GetWorkspacesParams , _ rbac.PreparedAuthorized ) ([]database.GetWorkspacesRow , error ) {
644- // TODO Delete this function, all GetWorkspaces should be authorized. For now just call GetWorkspaces on the authz querier.
645- return q .GetWorkspaces (ctx , arg )
646- }
647-
648614func (q * querier ) SoftDeleteWorkspaceByID (ctx context.Context , id uuid.UUID ) error {
649615 return deleteQ (q .log , q .auth , q .db .GetWorkspaceByID , func (ctx context.Context , id uuid.UUID ) error {
650616 return q .db .UpdateWorkspaceDeletedByID (ctx , database.UpdateWorkspaceDeletedByIDParams {
@@ -684,13 +650,6 @@ func authorizedTemplateVersionFromJob(ctx context.Context, q *querier, job datab
684650 }
685651}
686652
687- // GetAuthorizedUsers is not required for dbauthz since GetUsers is already
688- // authenticated.
689- func (q * querier ) GetAuthorizedUsers (ctx context.Context , arg database.GetUsersParams , _ rbac.PreparedAuthorized ) ([]database.GetUsersRow , error ) {
690- // GetUsers is authenticated.
691- return q .GetUsers (ctx , arg )
692- }
693-
694653func (q * querier ) AcquireLock (ctx context.Context , id int64 ) error {
695654 return q .db .AcquireLock (ctx , id )
696655}
@@ -2629,3 +2588,44 @@ func (q *querier) UpsertTailnetCoordinator(ctx context.Context, id uuid.UUID) (d
26292588 }
26302589 return q .db .UpsertTailnetCoordinator (ctx , id )
26312590}
2591+
2592+ func (q * querier ) GetAuthorizedTemplates (ctx context.Context , arg database.GetTemplatesWithFilterParams , _ rbac.PreparedAuthorized ) ([]database.Template , error ) {
2593+ // TODO Delete this function, all GetTemplates should be authorized. For now just call getTemplates on the authz querier.
2594+ return q .GetTemplatesWithFilter (ctx , arg )
2595+ }
2596+
2597+ func (q * querier ) GetTemplateGroupRoles (ctx context.Context , id uuid.UUID ) ([]database.TemplateGroup , error ) {
2598+ // An actor is authorized to read template group roles if they are authorized to read the template.
2599+ template , err := q .db .GetTemplateByID (ctx , id )
2600+ if err != nil {
2601+ return nil , err
2602+ }
2603+ if err := q .authorizeContext (ctx , rbac .ActionRead , template ); err != nil {
2604+ return nil , err
2605+ }
2606+ return q .db .GetTemplateGroupRoles (ctx , id )
2607+ }
2608+
2609+ func (q * querier ) GetTemplateUserRoles (ctx context.Context , id uuid.UUID ) ([]database.TemplateUser , error ) {
2610+ // An actor is authorized to query template user roles if they are authorized to read the template.
2611+ template , err := q .db .GetTemplateByID (ctx , id )
2612+ if err != nil {
2613+ return nil , err
2614+ }
2615+ if err := q .authorizeContext (ctx , rbac .ActionRead , template ); err != nil {
2616+ return nil , err
2617+ }
2618+ return q .db .GetTemplateUserRoles (ctx , id )
2619+ }
2620+
2621+ func (q * querier ) GetAuthorizedWorkspaces (ctx context.Context , arg database.GetWorkspacesParams , _ rbac.PreparedAuthorized ) ([]database.GetWorkspacesRow , error ) {
2622+ // TODO Delete this function, all GetWorkspaces should be authorized. For now just call GetWorkspaces on the authz querier.
2623+ return q .GetWorkspaces (ctx , arg )
2624+ }
2625+
2626+ // GetAuthorizedUsers is not required for dbauthz since GetUsers is already
2627+ // authenticated.
2628+ func (q * querier ) GetAuthorizedUsers (ctx context.Context , arg database.GetUsersParams , _ rbac.PreparedAuthorized ) ([]database.GetUsersRow , error ) {
2629+ // GetUsers is authenticated.
2630+ return q .GetUsers (ctx , arg )
2631+ }
0 commit comments