frobulating happily together

johnstcn · johnstcn · commit 16d0869028fc · 2024-08-01T15:11:09.000+01:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -2060,10 +2060,16 @@ func (q *querier) GetUserCount(ctx context.Context) (int64, error) {
 }
 
 func (q *querier) GetUserFrobulators(ctx context.Context, userID uuid.UUID) ([]database.Frobulator, error) {
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceFrobulator.WithOwner(userID.String())); err != nil {
-		return nil, err
-	}
-	return q.db.GetUserFrobulators(ctx, userID)
+	return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetUserFrobulators)(ctx, userID)
+	// Alternatively: just check if you can read *a* Frobulator owned by your ID.
+	// This is technically incorrect, as if Frobulators later become org-scoped, this will no longer be correct!
+	// But it's **much, much faster** .
+	/*
+		if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceFrobulator.WithOwner(userID.String())); err != nil {
+			return nil, err
+		}
+		return q.db.GetUserFrobulators(ctx, userID)
+	*/
 }
 
 func (q *querier) GetUserLatencyInsights(ctx context.Context, arg database.GetUserLatencyInsightsParams) ([]database.GetUserLatencyInsightsRow, error) {
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -117,6 +117,10 @@ func (k APIKey) RBACObject() rbac.Object {
 		WithOwner(k.UserID.String())
 }
 
+func (f Frobulator) RBACObject() rbac.Object {
+	return rbac.ResourceFrobulator.WithID(f.ID).WithOwner(f.UserID.String())
+}
+
 func (t Template) RBACObject() rbac.Object {
 	return rbac.ResourceTemplate.WithID(t.ID).
 		InOrg(t.OrganizationID).
diff --git a/coderd/frobulators.go b/coderd/frobulators.go
@@ -8,8 +8,6 @@ import (
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
-	"github.com/coder/coder/v2/coderd/rbac"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/codersdk"
 )
 
@@ -26,10 +24,6 @@ import (
 func (api *API) createFrobulator(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
-	if !api.Authorize(r, policy.ActionCreate, rbac.ResourceFrobulator.WithOwner(user.ID.String())) {
-		httpapi.Forbidden(rw)
-		return
-	}
 
 	var req codersdk.InsertFrobulatorRequest
 	if !httpapi.Read(ctx, rw, r, &req) {
@@ -60,12 +54,6 @@ func (api *API) createFrobulator(rw http.ResponseWriter, r *http.Request) {
 // @Router /frobulators/{user} [get]
 func (api *API) listUserFrobulators(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	key := httpmw.APIKey(r)
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceFrobulator.WithOwner(key.UserID.String())) {
-		httpapi.Forbidden(rw)
-		return
-	}
-
 	user := httpmw.UserParam(r)
 	frobs, err := api.Database.GetUserFrobulators(ctx, user.ID)
 	if err != nil {
@@ -94,10 +82,6 @@ func (api *API) listUserFrobulators(rw http.ResponseWriter, r *http.Request) {
 // @Router /frobulators [get]
 func (api *API) listAllFrobulators(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceFrobulator) {
-		httpapi.Forbidden(rw)
-		return
-	}
 
 	frobs, err := api.Database.GetAllFrobulators(ctx)
 	if err != nil {
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -310,6 +310,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			ResourceDeploymentConfig.Type: {policy.ActionRead},
 			// Org roles are not really used yet, so grant the perm at the site level.
 			ResourceOrganizationMember.Type: {policy.ActionRead},
+			// The site-wide auditor is allowed to read *all* frobulators, regardless of who owns them.
+			ResourceFrobulator.Type: {policy.ActionRead},
 		}),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -439,8 +441,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
-						ResourceAuditLog.Type:   {policy.ActionRead},
-						ResourceFrobulator.Type: {policy.ActionRead},
+						ResourceAuditLog.Type: {policy.ActionRead},
 					}),
 				},
 				User: []Permission{},
