Skip to content

Commit 1027d9f

Browse files
hugodutkahugodutka
committed
rewrite GetGroupMembersByGroupID permission checks
1 parent 13ca3a9 commit 1027d9f

File tree

2 files changed

+3
-45
lines changed

2 files changed

+3
-45
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 1 addition & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1397,37 +1397,7 @@ func (q *querier) GetGroupMembers(ctx context.Context) ([]database.GroupMember,
13971397
}
13981398

13991399
func (q *querier) GetGroupMembersByGroupID(ctx context.Context, id uuid.UUID) ([]database.GroupMember, error) {
1400-
group, err := q.GetGroupByID(ctx, id)
1401-
if err != nil { // AuthZ check
1402-
return nil, err
1403-
}
1404-
// The GroupMemberRBACHelper type is used to do the authz check. It ensures
1405-
// that group members can see themselves. Unless they have Group read permissions,
1406-
// they cannot see other members.
1407-
fetch := func(ctx context.Context, _ any) ([]database.GroupMemberRBACHelper, error) {
1408-
users, err := q.db.GetGroupMembersByGroupID(ctx, id)
1409-
if err != nil {
1410-
return nil, err
1411-
}
1412-
groupMembers := make([]database.GroupMemberRBACHelper, len(users))
1413-
for i, user := range users {
1414-
groupMembers[i] = database.GroupMemberRBACHelper{
1415-
User: user,
1416-
GroupID: group.ID,
1417-
OrganizationID: group.OrganizationID,
1418-
}
1419-
}
1420-
return groupMembers, nil
1421-
}
1422-
groupMembers, err := fetchWithPostFilter(q.auth, policy.ActionRead, fetch)(ctx, nil)
1423-
if err != nil {
1424-
return nil, err
1425-
}
1426-
users := make([]database.User, len(groupMembers))
1427-
for i, groupMember := range groupMembers {
1428-
users[i] = groupMember.User
1429-
}
1430-
return users, nil
1400+
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetGroupMembersByGroupID)(ctx, id)
14311401
}
14321402

14331403
func (q *querier) GetGroupMembersCountByGroupID(ctx context.Context, groupID uuid.UUID) (int64, error) {

coderd/database/modelmethods.go

Lines changed: 2 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -183,20 +183,8 @@ func (g Group) RBACObject() rbac.Object {
183183
})
184184
}
185185

186-
type GroupMemberRBACHelper struct {
187-
User User
188-
GroupID uuid.UUID
189-
OrganizationID uuid.UUID
190-
}
191-
192-
func (gm GroupMemberRBACHelper) RBACObject() rbac.Object {
193-
return rbac.ResourceGroup.WithID(gm.GroupID).InOrg(gm.OrganizationID).
194-
// Group member can see they are in the group.
195-
WithACLUserList(map[string][]policy.Action{
196-
gm.User.ID.String(): {
197-
policy.ActionRead,
198-
},
199-
})
186+
func (gm GroupMember) RBACObject() rbac.Object {
187+
return rbac.ResourceGroupMember.WithID(gm.UserID).InOrg(gm.OrganizationID).WithOwner(gm.UserID.String())
200188
}
201189

202190
type GroupMembersCountRBACHelper struct {

0 commit comments

Comments
 (0)