@@ -186,31 +186,18 @@ func fetchAndQuery[ObjectType rbac.Objecter, ArgumentType any,
186186 }
187187}
188188
189- func fetch [ObjectType rbac.Objecter , ArgumentType any ,
190- Fetch func (ctx context.Context , arg ArgumentType ) (ObjectType , error )](
191- // Arguments
192- logger slog.Logger ,
193- authorizer rbac.Authorizer ,
194- fetchFunc Fetch ) Fetch {
195- return authorizedQuery (logger , authorizer , rbac .ActionRead , fetchFunc )
196- }
197-
198- // authorizedQuery is a generic function that wraps a database
189+ // fetch is a generic function that wraps a database
199190// query function (returns an object and an error) with authorization. The
200191// returned function has the same arguments as the database function.
201192//
202193// The database query function will **ALWAYS** hit the database, even if the
203194// user cannot read the resource. This is because the resource details are
204195// required to run a proper authorization check.
205- //
206- // An optimized version of this could be written if the object's authz
207- // subject properties are known by the caller.
208- func authorizedQuery [ArgumentType any , ObjectType rbac.Objecter ,
196+ func fetch [ArgumentType any , ObjectType rbac.Objecter ,
209197 DatabaseFunc func (ctx context.Context , arg ArgumentType ) (ObjectType , error )](
210198 // Arguments
211199 logger slog.Logger ,
212200 authorizer rbac.Authorizer ,
213- action rbac.Action ,
214201 f DatabaseFunc ) DatabaseFunc {
215202 return func (ctx context.Context , arg ArgumentType ) (empty ObjectType , err error ) {
216203 // Fetch the rbac subject
@@ -226,7 +213,7 @@ func authorizedQuery[ArgumentType any, ObjectType rbac.Objecter,
226213 }
227214
228215 // Authorize the action
229- err = authorizer .Authorize (ctx , act , action , object .RBACObject ())
216+ err = authorizer .Authorize (ctx , act , rbac . ActionRead , object .RBACObject ())
230217 if err != nil {
231218 return empty , LogNotAuthorizedError (ctx , logger , err )
232219 }
0 commit comments