coder
diff --git a/‎coderd/authorize.go
Lines changed: 0 additions & 1 deletion b/‎coderd/authorize.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎coderd/coderdtest/authorize.go
Lines changed: 1 addition & 2 deletions b/‎coderd/coderdtest/authorize.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎coderd/database/modelqueries.go
Lines changed: 32 additions & 10 deletions b/‎coderd/database/modelqueries.go
Lines changed: 32 additions & 10 deletions
diff --git a/‎coderd/database/modelqueries_internal_test.go
Lines changed: 15 additions & 0 deletions b/‎coderd/database/modelqueries_internal_test.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎coderd/rbac/authz.go
Lines changed: 1 addition & 1 deletion b/‎coderd/rbac/authz.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/rbac/input.json
Lines changed: 0 additions & 120 deletions b/‎coderd/rbac/input.json
Lines changed: 0 additions & 120 deletions
diff --git a/‎coderd/rbac/input2.json
Lines changed: 0 additions & 1 deletion b/‎coderd/rbac/input2.json
Lines changed: 0 additions & 1 deletion
diff --git a/‎coderd/rbac/memprofile.out
-25.4 KB b/‎coderd/rbac/memprofile.out
-25.4 KB
diff --git a/‎coderd/rbac/partial.go
Lines changed: 2 additions & 3 deletions b/‎coderd/rbac/partial.go
Lines changed: 2 additions & 3 deletions
diff --git a/‎coderd/rbac/partial.json
Lines changed: 0 additions & 7 deletions b/‎coderd/rbac/partial.json
Lines changed: 0 additions & 7 deletions
diff --git a/‎coderd/rbac/profile.out
-46.5 KB b/‎coderd/rbac/profile.out
-46.5 KB
diff --git a/‎coderd/rbac/rbac.test
-24 MB b/‎coderd/rbac/rbac.test
-24 MB
@@ -5,7 +5,6 @@ import (
 	"net/http"
 
 	"github.com/google/uuid"
-
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
 
@@ -9,15 +9,14 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/coder/coder/coderd/rbac/regosql"
-
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/coderd/rbac/regosql"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
 
@@ -5,14 +5,16 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/coder/coder/coderd/rbac/regosql"
-
+	"github.com/google/uuid"
 	"github.com/lib/pq"
+	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/coderd/rbac/regosql"
+)
 
-	"github.com/google/uuid"
-	"golang.org/x/xerrors"
+const (
+	authorizedQueryPlaceholder = "-- @authorize_filter"
 )
 
 // customQuerier encompasses all non-generated queries.
@@ -38,9 +40,13 @@ func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplate
 		return nil, xerrors.Errorf("compile authorized filter: %w", err)
 	}
 
-	filter := strings.Replace(getTemplatesWithFilter, "-- @authorize_filter", fmt.Sprintf(" AND %s", authorizedFilter), 1)
+	filtered, err := insertAuthorizedFilter(getTemplatesWithFilter, fmt.Sprintf(" AND %s", authorizedFilter))
+	if err != nil {
+		return nil, xerrors.Errorf("insert authorized filter: %w", err)
+	}
+
 	// The name comment is for metric tracking
-	query := fmt.Sprintf("-- name: GetAuthorizedTemplates :many\n%s", filter)
+	query := fmt.Sprintf("-- name: GetAuthorizedTemplates :many\n%s", filtered)
 	rows, err := q.db.QueryContext(ctx, query,
 		arg.Deleted,
 		arg.OrganizationID,
@@ -183,9 +189,13 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 
 	// In order to properly use ORDER BY, OFFSET, and LIMIT, we need to inject the
 	// authorizedFilter between the end of the where clause and those statements.
-	filter := strings.Replace(getWorkspaces, "-- @authorize_filter", fmt.Sprintf(" AND %s", authorizedFilter), 1)
+	filtered, err := insertAuthorizedFilter(getWorkspaces, fmt.Sprintf(" AND %s", authorizedFilter))
+	if err != nil {
+		return nil, xerrors.Errorf("insert authorized filter: %w", err)
+	}
+
 	// The name comment is for metric tracking
-	query := fmt.Sprintf("-- name: GetAuthorizedWorkspaces :many\n%s", filter)
+	query := fmt.Sprintf("-- name: GetAuthorizedWorkspaces :many\n%s", filtered)
 	rows, err := q.db.QueryContext(ctx, query,
 		arg.Deleted,
 		arg.Status,
@@ -241,8 +251,12 @@ func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFiltered
 		return -1, xerrors.Errorf("compile authorized filter: %w", err)
 	}
 
-	filter := strings.Replace(getFilteredUserCount, "-- @authorize_filter", fmt.Sprintf(" AND %s", authorizedFilter), 1)
-	query := fmt.Sprintf("-- name: GetAuthorizedUserCount :one\n%s", filter)
+	filtered, err := insertAuthorizedFilter(getFilteredUserCount, fmt.Sprintf(" AND %s", authorizedFilter))
+	if err != nil {
+		return -1, xerrors.Errorf("insert authorized filter: %w", err)
+	}
+
+	query := fmt.Sprintf("-- name: GetAuthorizedUserCount :one\n%s", filtered)
 	row := q.db.QueryRowContext(ctx, query,
 		arg.Deleted,
 		arg.Search,
@@ -253,3 +267,11 @@ func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFiltered
 	err = row.Scan(&count)
 	return count, err
 }
+
+func insertAuthorizedFilter(query string, replaceWith string) (string, error) {
+	if !strings.Contains(query, authorizedQueryPlaceholder) {
+		return "", xerrors.Errorf("query does not contain authorized replace string, this is not an authorized query")
+	}
+	filtered := strings.Replace(query, authorizedQueryPlaceholder, replaceWith, 1)
+	return filtered, nil
+}
@@ -0,0 +1,15 @@
+package database
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsAuthorizedQuery(t *testing.T) {
+	t.Parallel()
+
+	query := `SELECT true;`
+	_, err := insertAuthorizedFilter(query, "")
+	require.ErrorContains(t, err, "does not contain authorized replace string", "ensure replace string")
+}
@@ -3,14 +3,14 @@ package rbac
 import (
 	"context"
 	_ "embed"
-	"github.com/coder/coder/coderd/rbac/regosql"
 	"sync"
 
 	"github.com/open-policy-agent/opa/rego"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/coderd/rbac/regosql"
 	"github.com/coder/coder/coderd/tracing"
 )
 
 
@@ -3,12 +3,11 @@ package rbac
 import (
 	"context"
 
-	"github.com/coder/coder/coderd/rbac/regosql"
-	"golang.org/x/xerrors"
-
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
+	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/coderd/rbac/regosql"
 	"github.com/coder/coder/coderd/tracing"
 )