coder
diff --git a/‎cli/notifications_test.go
Lines changed: 42 additions & 3 deletions b/‎cli/notifications_test.go
Lines changed: 42 additions & 3 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/notifications.go
Lines changed: 23 additions & 3 deletions b/‎coderd/notifications.go
Lines changed: 23 additions & 3 deletions
diff --git a/‎coderd/notifications_test.go
Lines changed: 40 additions & 0 deletions b/‎coderd/notifications_test.go
Lines changed: 40 additions & 0 deletions
diff --git a/‎docs/reference/api/notifications.md
Lines changed: 6 additions & 5 deletions b/‎docs/reference/api/notifications.md
Lines changed: 6 additions & 5 deletions
@@ -10,6 +10,9 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
+
 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/notifications"
@@ -175,11 +178,12 @@ func TestCustomNotifications(t *testing.T) {
 
 		notifyEnq := &notificationstest.FakeEnqueuer{}
 
-		// Given: A member user
 		ownerClient := coderdtest.New(t, &coderdtest.Options{
 			DeploymentValues:      coderdtest.DeploymentValues(t),
 			NotificationsEnqueuer: notifyEnq,
 		})
+
+		// Given: A member user
 		ownerUser := coderdtest.CreateFirstUser(t, ownerClient)
 		memberClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, ownerUser.OrganizationID)
 
@@ -192,23 +196,58 @@ func TestCustomNotifications(t *testing.T) {
 		var sdkError *codersdk.Error
 		require.Error(t, err)
 		require.ErrorAsf(t, err, &sdkError, "error should be of type *codersdk.Error")
-		assert.Equal(t, http.StatusBadRequest, sdkError.StatusCode())
+		require.Equal(t, http.StatusBadRequest, sdkError.StatusCode())
 		require.Equal(t, "Invalid request body", sdkError.Message)
 
 		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTestNotification))
 		require.Len(t, sent, 0)
 	})
 
+	t.Run("SystemUserNotAllowed", func(t *testing.T) {
+		t.Parallel()
+
+		notifyEnq := &notificationstest.FakeEnqueuer{}
+
+		ownerClient, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{
+			DeploymentValues:      coderdtest.DeploymentValues(t),
+			NotificationsEnqueuer: notifyEnq,
+		})
+
+		// Given: A system user (prebuilds system user)
+		_, token := dbgen.APIKey(t, db, database.APIKey{
+			UserID:    database.PrebuildsSystemUserID,
+			LoginType: database.LoginTypeNone,
+		})
+		systemUserClient := codersdk.New(ownerClient.URL)
+		systemUserClient.SetSessionToken(token)
+
+		// When: The system user attempts to send a custom notification
+		inv, root := clitest.New(t, "notifications", "custom", "Custom Title", "Custom Message")
+		clitest.SetupConfig(t, systemUserClient, root)
+
+		// Then: an error is expected with no notifications sent
+		err := inv.Run()
+		var sdkError *codersdk.Error
+		require.Error(t, err)
+		require.ErrorAsf(t, err, &sdkError, "error should be of type *codersdk.Error")
+		require.Equal(t, http.StatusForbidden, sdkError.StatusCode())
+		require.Equal(t, "Forbidden", sdkError.Message)
+
+		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTestNotification))
+		require.Len(t, sent, 0)
+	})
+
 	t.Run("Success", func(t *testing.T) {
 		t.Parallel()
 
 		notifyEnq := &notificationstest.FakeEnqueuer{}
 
-		// Given: A member user
 		ownerClient := coderdtest.New(t, &coderdtest.Options{
 			DeploymentValues:      coderdtest.DeploymentValues(t),
 			NotificationsEnqueuer: notifyEnq,
 		})
+
+		// Given: A member user
 		ownerUser := coderdtest.CreateFirstUser(t, ownerClient)
 		memberClient, memberUser := coderdtest.CreateAnotherUser(t, ownerClient, ownerUser.OrganizationID)
 
 
@@ -376,6 +376,10 @@ func (u User) RBACObject() rbac.Object {
 	return rbac.ResourceUserObject(u.ID)
 }
 
+func (u User) IsSystemUser() bool {
+	return u.IsSystem
+}
+
 func (u GetUsersRow) RBACObject() rbac.Object {
 	return rbac.ResourceUserObject(u.ID)
 }
 
@@ -333,6 +333,7 @@ func (api *API) putUserNotificationPreferences(rw http.ResponseWriter, r *http.R
 // @Param request body codersdk.CustomNotification true "Provide a non-empty title or message"
 // @Success 204 "No Content"
 // @Failure 400 {object} codersdk.Response "Invalid request body"
+// @Failure 403 {object} codersdk.Response "System users cannot send custom notifications"
 // @Failure 500 {object} codersdk.Response "Failed to send custom notification"
 // @Router /notifications/custom [post]
 func (api *API) postCustomNotification(rw http.ResponseWriter, r *http.Request) {
@@ -357,17 +358,36 @@ func (api *API) postCustomNotification(rw http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	userID := apiKey.UserID
+	// Block system users from sending custom notifications
+	user, err := api.Database.GetUserByID(ctx, apiKey.UserID)
+	if err != nil {
+		api.Logger.Error(ctx, "send custom notification", slog.Error(err))
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to send custom notification",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	if user.IsSystemUser() {
+		api.Logger.Error(ctx, "send custom notification: system user is not allowed",
+			slog.F("id", user.ID.String()), slog.F("name", user.Name))
+		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
+			Message: "Forbidden",
+			Detail:  "System users cannot send custom notifications.",
+		})
+		return
+	}
+
 	if _, err := api.NotificationsEnqueuer.Enqueue(
 		//nolint:gocritic // We need to be notifier to send the notification.
 		dbauthz.AsNotifier(ctx),
-		userID,
+		user.ID,
 		notifications.TemplateCustomNotification,
 		map[string]string{
 			"custom_title":   req.Title,
 			"custom_message": req.Message,
 		},
-		userID.String(),
+		user.ID.String(),
 	); err != nil {
 		api.Logger.Error(ctx, "send custom notification", slog.Error(err))
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 
@@ -11,6 +11,7 @@ import (
 
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/notifications/notificationstest"
 	"github.com/coder/coder/v2/codersdk"
@@ -407,6 +408,45 @@ func TestCustomNotification(t *testing.T) {
 		require.ErrorAsf(t, err, &sdkError, "error should be of type *codersdk.Error")
 		require.Equal(t, http.StatusBadRequest, sdkError.StatusCode())
 		require.Equal(t, "Invalid request body", sdkError.Message)
+
+		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTestNotification))
+		require.Len(t, sent, 0)
+	})
+
+	t.Run("SystemUserNotAllowed", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		notifyEnq := &notificationstest.FakeEnqueuer{}
+		ownerClient, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{
+			DeploymentValues:      coderdtest.DeploymentValues(t),
+			NotificationsEnqueuer: notifyEnq,
+		})
+
+		// Given: A system user (prebuilds system user)
+		_, token := dbgen.APIKey(t, db, database.APIKey{
+			UserID:    database.PrebuildsSystemUserID,
+			LoginType: database.LoginTypeNone,
+		})
+		systemUserClient := codersdk.New(ownerClient.URL)
+		systemUserClient.SetSessionToken(token)
+
+		// When: The system user attempts to send a custom notification
+		err := systemUserClient.PostCustomNotification(ctx, codersdk.CustomNotification{
+			Title:   "Custom Title",
+			Message: "Custom Message",
+		})
+
+		// Then: a forbidden error is expected with no notifications sent
+		var sdkError *codersdk.Error
+		require.Error(t, err)
+		require.ErrorAsf(t, err, &sdkError, "error should be of type *codersdk.Error")
+		require.Equal(t, http.StatusForbidden, sdkError.StatusCode())
+		require.Equal(t, "Forbidden", sdkError.Message)
+
+		sent := notifyEnq.Sent(notificationstest.WithTemplateID(notifications.TemplateTestNotification))
+		require.Len(t, sent, 0)
 	})
 
 	t.Run("Success", func(t *testing.T) {
Original file line number	Diff line number	Diff line change
`@@ -376,6 +376,10 @@ func (u User) RBACObject() rbac.Object {`
`376`	`376`	`return rbac.ResourceUserObject(u.ID)`
`377`	`377`	`}`
`378`	`378`
	`379`	`+func (u User) IsSystemUser() bool {`
	`380`	`+ return u.IsSystem`
	`381`	`+}`
	`382`	`+`
`379`	`383`	`func (u GetUsersRow) RBACObject() rbac.Object {`
`380`	`384`	`return rbac.ResourceUserObject(u.ID)`
`381`	`385`	`}`