fix authorize bug

sreya · sreya · commit 5a081eb6ceb3 · 2022-09-19T18:25:52.000Z
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -399,6 +399,7 @@ func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationI
 // with the responses provided. It uses the "echo" provisioner for compatibility
 // with testing.
 func CreateTemplateVersion(t *testing.T, client *codersdk.Client, organizationID uuid.UUID, res *echo.Responses) codersdk.TemplateVersion {
+	t.Helper()
 	data, err := echo.Tar(res)
 	require.NoError(t, err)
 	file, err := client.Upload(context.Background(), codersdk.ContentTypeTar, data)
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -21,6 +21,10 @@ func (u UserACL) Actions() map[string][]rbac.Action {
 
 func (t Template) UserACL() UserACL {
 	var acl UserACL
+	if len(t.userACL) == 0 {
+		return acl
+	}
+
 	err := json.Unmarshal(t.userACL, &acl)
 	if err != nil {
 		panic(fmt.Sprintf("failed to unmarshal template.userACL: %v", err.Error()))
diff --git a/coderd/httpmw/templateversionparam.go b/coderd/httpmw/templateversionparam.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/go-chi/chi/v5"
+	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
@@ -32,6 +33,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand
 			if !parsed {
 				return
 			}
+
 			templateVersion, err := db.GetTemplateVersionByID(r.Context(), templateVersionID)
 			if errors.Is(err, sql.ErrNoRows) {
 				httpapi.ResourceNotFound(rw)
@@ -46,11 +48,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand
 			}
 
 			template, err := db.GetTemplateByID(r.Context(), templateVersion.TemplateID.UUID)
-			if errors.Is(err, sql.ErrNoRows) {
-				httpapi.ResourceNotFound(rw)
-				return
-			}
-			if err != nil {
+			if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 				httpapi.Write(rw, http.StatusInternalServerError, codersdk.Response{
 					Message: "Internal error fetching template.",
 					Detail:  err.Error(),
@@ -61,8 +59,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand
 			ctx := context.WithValue(r.Context(), templateVersionParamContextKey{}, templateVersion)
 			chi.RouteContext(ctx).URLParams.Add("organization", templateVersion.OrganizationID.String())
 
-			ctx = context.WithValue(r.Context(), templateParamContextKey{}, template)
-			chi.RouteContext(ctx).URLParams.Add("organization", template.OrganizationID.String())
+			ctx = context.WithValue(ctx, templateParamContextKey{}, template)
 
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
diff --git a/coderd/templateversions.go b/coderd/templateversions.go
@@ -27,6 +27,7 @@ func (api *API) templateVersion(rw http.ResponseWriter, r *http.Request) {
 		templateVersion = httpmw.TemplateVersionParam(r)
 		template        = httpmw.TemplateParam(r)
 	)
+
 	if !api.Authorize(r, rbac.ActionRead, templateVersion.RBACObject(template)) {
 		httpapi.ResourceNotFound(rw)
 		return

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@ func (api API) templateVersion(rw http.ResponseWriter, r http.Request) {`
`27`	`27`	`templateVersion = httpmw.TemplateVersionParam(r)`
`28`	`28`	`template = httpmw.TemplateParam(r)`
`29`	`29`	`)`
	`30`	`+`
`30`	`31`	`if !api.Authorize(r, rbac.ActionRead, templateVersion.RBACObject(template)) {`
`31`	`32`	`httpapi.ResourceNotFound(rw)`
`32`	`33`	`return`