fix: dbauthz: fix RBAC call for GetTemplateVersionVariables (#6670)

johnstcn · web-flow · commit 331a49bf752f · 2023-03-20T10:22:16.000Z
In GetTemplateVersionVariables we were effectively asking the provisionerd role to call rbac.ActionCreate on rbac.ResourceTemplate, which will never work. Updated this to be rbac.ActionRead instead.
diff --git a/coderd/database/dbauthz/querier.go b/coderd/database/dbauthz/querier.go
@@ -735,7 +735,7 @@ func (q *querier) GetTemplateVersionVariables(ctx context.Context, templateVersi
 		object = tv.RBACObject(template)
 	}
 
-	if err := q.authorizeContext(ctx, rbac.ActionCreate, object); err != nil {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, object); err != nil {
 		return nil, err
 	}
 	return q.db.GetTemplateVersionVariables(ctx, templateVersionID)
diff --git a/coderd/database/dbauthz/querier_test.go b/coderd/database/dbauthz/querier_test.go
@@ -599,6 +599,16 @@ func (s *MethodTestSuite) TestTemplate() {
 		})
 		check.Args(tv.ID).Asserts(t1, rbac.ActionRead).Returns([]database.TemplateVersionParameter{})
 	}))
+	s.Run("GetTemplateVersionVariables", s.Subtest(func(db database.Store, check *expects) {
+		t1 := dbgen.Template(s.T(), db, database.Template{})
+		tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
+			TemplateID: uuid.NullUUID{UUID: t1.ID, Valid: true},
+		})
+		tvv1 := dbgen.TemplateVersionVariable(s.T(), db, database.TemplateVersionVariable{
+			TemplateVersionID: tv.ID,
+		})
+		check.Args(tv.ID).Asserts(t1, rbac.ActionRead).Returns([]database.TemplateVersionVariable{tvv1})
+	}))
 	s.Run("GetTemplateGroupRoles", s.Subtest(func(db database.Store, check *expects) {
 		t1 := dbgen.Template(s.T(), db, database.Template{})
 		check.Args(t1.ID).Asserts(t1, rbac.ActionRead)

Original file line number	Diff line number	Diff line change
`@@ -735,7 +735,7 @@ func (q *querier) GetTemplateVersionVariables(ctx context.Context, templateVersi`
`735`	`735`	`object = tv.RBACObject(template)`
`736`	`736`	`}`
`737`	`737`
`738`		`- if err := q.authorizeContext(ctx, rbac.ActionCreate, object); err != nil {`
	`738`	`+ if err := q.authorizeContext(ctx, rbac.ActionRead, object); err != nil {`
`739`	`739`	`return nil, err`
`740`	`740`	`}`
`741`	`741`	`return q.db.GetTemplateVersionVariables(ctx, templateVersionID)`