WIP

ibetitsmike · ibetitsmike · commit 77be34e62b1e · 2025-05-16T16:32:46.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -2316,17 +2316,22 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui
 }
 
 func (q *querier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
-	// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
-	// 	return nil, err
-	// }
+	provisionerJobs, err := q.db.GetProvisionerJobsByIDs(ctx, ids)
+	if err != nil {
+		return nil, err
+	}
+	for _, job := range provisionerJobs {
+		if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(job.OrganizationID)); err != nil {
+			return nil, err
+		}
+	}
 	return q.db.GetProvisionerJobsByIDs(ctx, ids)
 }
 
 func (q *querier) GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context, ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow, error) {
 	// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
 	// 	return nil, err
 	// }
-	// policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)
 	return q.db.GetProvisionerJobsByIDsWithQueuePosition(ctx, ids)
 }
 
@@ -2338,9 +2343,9 @@ func (q *querier) GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndP
 }
 
 func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt time.Time) ([]database.ProvisionerJob, error) {
-	// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
-	// 	return nil, err
-	// }
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
+		return nil, err
+	}
 	return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)
 }
 
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -694,9 +694,12 @@ func (s *MethodTestSuite) TestProvisionerJob() {
 			Asserts(v.RBACObject(tpl), []policy.Action{policy.ActionRead, policy.ActionUpdate}).Returns()
 	}))
 	s.Run("GetProvisionerJobsByIDs", s.Subtest(func(db database.Store, check *expects) {
-		a := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
-		b := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
-		check.Args([]uuid.UUID{a.ID, b.ID}).Asserts().Returns(slice.New(a, b))
+		orgID := uuid.New()
+		a := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{OrganizationID: orgID})
+		b := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{OrganizationID: orgID})
+		check.Args([]uuid.UUID{a.ID, b.ID}).
+			Asserts(rbac.ResourceProvisionerJobs.InOrg(orgID), policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(orgID), policy.ActionRead).
+			Returns(slice.New(a, b))
 	}))
 	s.Run("GetProvisionerLogsAfterID", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
@@ -3892,7 +3895,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 	}))
 	s.Run("GetProvisionerJobsCreatedAfter", s.Subtest(func(db database.Store, check *expects) {
 		_ = dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{CreatedAt: time.Now().Add(-time.Hour)})
-		check.Args(time.Now()).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ )
+		check.Args(time.Now()).Asserts(rbac.ResourceProvisionerJobs, policy.ActionRead)
 	}))
 	s.Run("GetTemplateVersionsByIDs", s.Subtest(func(db database.Store, check *expects) {
 		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -3975,10 +3978,11 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 			Returns([]database.WorkspaceAgent{agt})
 	}))
 	s.Run("GetProvisionerJobsByIDs", s.Subtest(func(db database.Store, check *expects) {
-		a := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
-		b := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
+		orgID := uuid.New()
+		a := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{OrganizationID: orgID})
+		b := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{OrganizationID: orgID})
 		check.Args([]uuid.UUID{a.ID, b.ID}).
-			Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ ).
+			Asserts(rbac.ResourceProvisionerJobs.InOrg(orgID), policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(orgID), policy.ActionRead).
 			Returns(slice.New(a, b))
 	}))
 	s.Run("InsertWorkspaceAgent", s.Subtest(func(db database.Store, check *expects) {
@@ -4279,7 +4283,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		check.Args([]uuid.UUID{uuid.New()}).Asserts(rbac.ResourceSystem, policy.ActionRead)
 	}))
 	s.Run("GetProvisionerJobsByIDsWithQueuePosition", s.Subtest(func(db database.Store, check *expects) {
-		check.Args([]uuid.UUID{}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ )
+		check.Args([]uuid.UUID{}).Asserts( /* rbac.ResourceProvisionerJobs.InOrg(orgID), policy.ActionRead */ )
 	}))
 	s.Run("GetReplicaByID", s.Subtest(func(db database.Store, check *expects) {
 		check.Args(uuid.New()).Asserts(rbac.ResourceSystem, policy.ActionRead).Errors(sql.ErrNoRows)
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -273,7 +273,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			Permissions(map[string][]policy.Action{
 				ResourceWorkspace.Type:        ownerWorkspaceActions,
 				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
-				ResourceProvisionerJobs.Type:  {policy.ActionRead, policy.ActionUpdate, policy.ActionCreate},
 			})...),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
