Skip to content

Commit 4815eae

Browse files
EmyrkEmyrk
committed
remove dead code
1 parent ce151e6 commit 4815eae

File tree

2 files changed

+1
-55
lines changed

2 files changed

+1
-55
lines changed

coderd/httpmw/organizationparam.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -194,6 +194,7 @@ func ExtractOrganizationMember(ctx context.Context, auth func(r *http.Request, a
194194
return nil, nil, true
195195
}
196196

197+
// Only return the user data if the caller can read the user object.
197198
if auth != nil && auth(r, policy.ActionRead, user) {
198199
return &user, organizationMembers, false
199200
}

coderd/httpmw/userparam.go

Lines changed: 0 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ import (
99
"github.com/google/uuid"
1010

1111
"github.com/coder/coder/v2/coderd/database"
12-
"github.com/coder/coder/v2/coderd/database/dbauthz"
1312
"github.com/coder/coder/v2/coderd/httpapi"
1413
"github.com/coder/coder/v2/codersdk"
1514
)
@@ -129,57 +128,3 @@ func ExtractUserContext(ctx context.Context, db database.Store, rw http.Response
129128
}
130129
return user, true
131130
}
132-
133-
// ExtractUserID will work if the requester can access any OrganizationMember that
134-
// belongs to the user.
135-
func ExtractUserID(db database.Store) func(http.Handler) http.Handler {
136-
return func(next http.Handler) http.Handler {
137-
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
138-
ctx := r.Context()
139-
// We need to resolve the `{user}` URL parameter so that we can get the userID and
140-
// username. We do this as SystemRestricted since the caller might have permission
141-
// to access the OrganizationMember object, but *not* the User object. So, it is
142-
// very important that we do not add the User object to the request context or otherwise
143-
// leak it to the API handler.
144-
// nolint:gocritic
145-
user, ok := ExtractUserContext(dbauthz.AsSystemRestricted(ctx), db, rw, r)
146-
if !ok {
147-
return
148-
}
149-
organization := OrganizationParam(r)
150-
151-
organizationMember, err := database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{
152-
OrganizationID: organization.ID,
153-
UserID: user.ID,
154-
IncludeSystem: false,
155-
}))
156-
if httpapi.Is404Error(err) {
157-
httpapi.ResourceNotFound(rw)
158-
return
159-
}
160-
if err != nil {
161-
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
162-
Message: "Internal error fetching organization member.",
163-
Detail: err.Error(),
164-
})
165-
return
166-
}
167-
168-
ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, OrganizationMember{
169-
OrganizationMember: organizationMember.OrganizationMember,
170-
// Here we're making two exceptions to the rule about not leaking data about the user
171-
// to the API handler, which is to include the username and avatar URL.
172-
// If the caller has permission to read the OrganizationMember, then we're explicitly
173-
// saying here that they also have permission to see the member's username and avatar.
174-
// This is OK!
175-
//
176-
// API handlers need this information for audit logging and returning the owner's
177-
// username in response to creating a workspace. Additionally, the frontend consumes
178-
// the Avatar URL and this allows the FE to avoid an extra request.
179-
Username: user.Username,
180-
AvatarURL: user.AvatarURL,
181-
})
182-
next.ServeHTTP(rw, r.WithContext(ctx))
183-
})
184-
}
185-
}

0 commit comments

Comments
 (0)