coder
diff --git a/‎cli/server.go
+1-7 b/‎cli/server.go
+1-7
diff --git a/‎coderd/coderdtest/coderdtest.go
+1-4 b/‎coderd/coderdtest/coderdtest.go
+1-4
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+9-3 b/‎coderd/database/dbauthz/dbauthz.go
+9-3
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
+16 b/‎coderd/database/dbauthz/dbauthz_test.go
+16
diff --git a/‎coderd/runtimeconfig/config.go
-161 b/‎coderd/runtimeconfig/config.go
-161
@@ -821,13 +821,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				return err
 			}
 
-			// TODO: Throw a caching layer infront of the RuntimeConfig to prevent
-			// excessive database queries.
-			// Note: This happens before dbauthz, which is really unfortunate.
-			// dbauthz is configured in `Coderd.New()`, but we need the manager
-			// at this level for notifications. We might have to move some init
-			// code around.
-			options.RuntimeConfig = runtimeconfig.NewStoreManager(options.Database)
+			options.RuntimeConfig = runtimeconfig.NewStoreManager()
 
 			// This should be output before the logs start streaming.
 			cliui.Infof(inv.Stdout, "\n==> Logs will stream in below (press ctrl+c to gracefully exit):")
 
@@ -255,10 +255,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 	var acs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
 	accessControlStore.Store(&acs)
 
-	// runtimeManager does not use dbauthz.
-	// TODO: It probably should, but the init code for prod happens before dbauthz
-	// is ready.
-	runtimeManager := runtimeconfig.NewStoreManager(options.Database)
+	runtimeManager := runtimeconfig.NewStoreManager()
 	options.Database = dbauthz.New(options.Database, options.Authorizer, *options.Logger, accessControlStore)
 
 	// Some routes expect a deployment ID, so just make sure one exists.
 
@@ -1184,7 +1184,9 @@ func (q *querier) DeleteReplicasUpdatedBefore(ctx context.Context, updatedAt tim
 }
 
 func (q *querier) DeleteRuntimeConfig(ctx context.Context, key string) error {
-	// TODO: auth
+	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
+		return err
+	}
 	return q.db.DeleteRuntimeConfig(ctx, key)
 }
 
@@ -1862,7 +1864,9 @@ func (q *querier) GetReplicasUpdatedAfter(ctx context.Context, updatedAt time.Ti
 }
 
 func (q *querier) GetRuntimeConfig(ctx context.Context, key string) (string, error) {
-	// TODO: auth
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
+		return "", err
+	}
 	return q.db.GetRuntimeConfig(ctx, key)
 }
 
@@ -3917,7 +3921,9 @@ func (q *querier) UpsertProvisionerDaemon(ctx context.Context, arg database.Upse
 }
 
 func (q *querier) UpsertRuntimeConfig(ctx context.Context, arg database.UpsertRuntimeConfigParams) error {
-	// TODO: auth
+	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
+		return err
+	}
 	return q.db.UpsertRuntimeConfig(ctx, arg)
 }
 
 
@@ -2696,6 +2696,22 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 			AgentID:     uuid.New(),
 		}).Asserts(tpl, policy.ActionCreate)
 	}))
+	s.Run("DeleteRuntimeConfig", s.Subtest(func(db database.Store, check *expects) {
+		check.Args("test").Asserts(rbac.ResourceSystem, policy.ActionDelete)
+	}))
+	s.Run("GetRuntimeConfig", s.Subtest(func(db database.Store, check *expects) {
+		_ = db.UpsertRuntimeConfig(context.Background(), database.UpsertRuntimeConfigParams{
+			Key:   "test",
+			Value: "value",
+		})
+		check.Args("test").Asserts(rbac.ResourceSystem, policy.ActionRead)
+	}))
+	s.Run("UpsertRuntimeConfig", s.Subtest(func(db database.Store, check *expects) {
+		check.Args(database.UpsertRuntimeConfigParams{
+			Key:   "test",
+			Value: "value",
+		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
+	}))
 }
 
 func (s *MethodTestSuite) TestNotifications() {
Original file line number	Diff line number	Diff line change
`@@ -1184,7 +1184,9 @@ func (q *querier) DeleteReplicasUpdatedBefore(ctx context.Context, updatedAt tim`
`1184`	`1184`	`}`
`1185`	`1185`
`1186`	`1186`	`func (q *querier) DeleteRuntimeConfig(ctx context.Context, key string) error {`
`1187`		`- // TODO: auth`
	`1187`	`+ if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {`
	`1188`	`+ return err`
	`1189`	`+ }`
`1188`	`1190`	`return q.db.DeleteRuntimeConfig(ctx, key)`
`1189`	`1191`	`}`
`1190`	`1192`
`@@ -1862,7 +1864,9 @@ func (q *querier) GetReplicasUpdatedAfter(ctx context.Context, updatedAt time.Ti`
`1862`	`1864`	`}`
`1863`	`1865`
`1864`	`1866`	`func (q *querier) GetRuntimeConfig(ctx context.Context, key string) (string, error) {`
`1865`		`- // TODO: auth`
	`1867`	`+ if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {`
	`1868`	`+ return "", err`
	`1869`	`+ }`
`1866`	`1870`	`return q.db.GetRuntimeConfig(ctx, key)`
`1867`	`1871`	`}`
`1868`	`1872`
`@@ -3917,7 +3921,9 @@ func (q *querier) UpsertProvisionerDaemon(ctx context.Context, arg database.Upse`
`3917`	`3921`	`}`
`3918`	`3922`
`3919`	`3923`	`func (q *querier) UpsertRuntimeConfig(ctx context.Context, arg database.UpsertRuntimeConfigParams) error {`
`3920`		`- // TODO: auth`
	`3924`	`+ if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {`
	`3925`	`+ return err`
	`3926`	`+ }`
`3921`	`3927`	`return q.db.UpsertRuntimeConfig(ctx, arg)`
`3922`	`3928`	`}`
`3923`	`3929`