remove dbauthz system usage

johnstcn · johnstcn · commit 982acef41ac3 · 2025-03-26T16:36:58.000Z
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -284,7 +284,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 
 	if options.PushNotifier == nil {
 		// nolint:gocritic // Gets/sets VAPID keys.
-		pushNotifier, err := push.New(dbauthz.AsSystemRestricted(context.Background()), options.Logger, options.Database)
+		pushNotifier, err := push.New(dbauthz.AsNotifier(context.Background()), options.Logger, options.Database)
 		if err != nil {
 			panic(xerrors.Errorf("failed to create push notifier: %w", err))
 		}
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -281,8 +281,10 @@ var (
 				Identifier:  rbac.RoleIdentifier{Name: "notifier"},
 				DisplayName: "Notifier",
 				Site: rbac.Permissions(map[string][]policy.Action{
-					rbac.ResourceNotificationMessage.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
-					rbac.ResourceInboxNotification.Type:   {policy.ActionCreate},
+					rbac.ResourceNotificationMessage.Type:          {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceInboxNotification.Type:            {policy.ActionCreate},
+					rbac.ResourceNotificationPushSubscription.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceDeploymentConfig.Type:             {policy.ActionRead, policy.ActionUpdate}, // To read and upsert VAPID keys
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -317,25 +319,24 @@ var (
 				Identifier:  rbac.RoleIdentifier{Name: "system"},
 				DisplayName: "Coder",
 				Site: rbac.Permissions(map[string][]policy.Action{
-					rbac.ResourceWildcard.Type:                     {policy.ActionRead},
-					rbac.ResourceApiKey.Type:                       rbac.ResourceApiKey.AvailableActions(),
-					rbac.ResourceGroup.Type:                        {policy.ActionCreate, policy.ActionUpdate},
-					rbac.ResourceAssignRole.Type:                   rbac.ResourceAssignRole.AvailableActions(),
-					rbac.ResourceAssignOrgRole.Type:                rbac.ResourceAssignOrgRole.AvailableActions(),
-					rbac.ResourceSystem.Type:                       {policy.WildcardSymbol},
-					rbac.ResourceOrganization.Type:                 {policy.ActionCreate, policy.ActionRead},
-					rbac.ResourceOrganizationMember.Type:           {policy.ActionCreate, policy.ActionDelete, policy.ActionRead},
-					rbac.ResourceProvisionerDaemon.Type:            {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
-					rbac.ResourceUser.Type:                         rbac.ResourceUser.AvailableActions(),
-					rbac.ResourceWorkspaceDormant.Type:             {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStop},
-					rbac.ResourceWorkspace.Type:                    {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH},
-					rbac.ResourceWorkspaceProxy.Type:               {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
-					rbac.ResourceDeploymentConfig.Type:             {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
-					rbac.ResourceNotificationMessage.Type:          {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
-					rbac.ResourceNotificationPreference.Type:       {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
-					rbac.ResourceNotificationTemplate.Type:         {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
-					rbac.ResourceNotificationPushSubscription.Type: {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
-					rbac.ResourceCryptoKey.Type:                    {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceWildcard.Type:               {policy.ActionRead},
+					rbac.ResourceApiKey.Type:                 rbac.ResourceApiKey.AvailableActions(),
+					rbac.ResourceGroup.Type:                  {policy.ActionCreate, policy.ActionUpdate},
+					rbac.ResourceAssignRole.Type:             rbac.ResourceAssignRole.AvailableActions(),
+					rbac.ResourceAssignOrgRole.Type:          rbac.ResourceAssignOrgRole.AvailableActions(),
+					rbac.ResourceSystem.Type:                 {policy.WildcardSymbol},
+					rbac.ResourceOrganization.Type:           {policy.ActionCreate, policy.ActionRead},
+					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate, policy.ActionDelete, policy.ActionRead},
+					rbac.ResourceProvisionerDaemon.Type:      {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
+					rbac.ResourceUser.Type:                   rbac.ResourceUser.AvailableActions(),
+					rbac.ResourceWorkspaceDormant.Type:       {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStop},
+					rbac.ResourceWorkspace.Type:              {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH},
+					rbac.ResourceWorkspaceProxy.Type:         {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceDeploymentConfig.Type:       {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceNotificationMessage.Type:    {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceNotificationPreference.Type: {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceNotificationTemplate.Type:   {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceCryptoKey.Type:              {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
diff --git a/coderd/notifications/push/push.go b/coderd/notifications/push/push.go
@@ -135,7 +135,7 @@ func (n *Notifier) Dispatch(ctx context.Context, userID uuid.UUID, notification
 
 	if len(cleanupSubscriptions) > 0 {
 		// nolint:gocritic // These are known to be invalid subscriptions.
-		err = n.store.DeleteNotificationPushSubscriptions(dbauthz.AsSystemRestricted(ctx), cleanupSubscriptions)
+		err = n.store.DeleteNotificationPushSubscriptions(dbauthz.AsNotifier(ctx), cleanupSubscriptions)
 		if err != nil {
 			n.log.Error(ctx, "failed to delete stale push subscriptions", slog.Error(err))
 		}

Original file line number	Diff line number	Diff line change
`@@ -284,7 +284,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`284`	`284`
`285`	`285`	`if options.PushNotifier == nil {`
`286`	`286`	`// nolint:gocritic // Gets/sets VAPID keys.`
`287`		`- pushNotifier, err := push.New(dbauthz.AsSystemRestricted(context.Background()), options.Logger, options.Database)`
	`287`	`+ pushNotifier, err := push.New(dbauthz.AsNotifier(context.Background()), options.Logger, options.Database)`
`288`	`288`	`if err != nil {`
`289`	`289`	`panic(xerrors.Errorf("failed to create push notifier: %w", err))`
`290`	`290`	`}`
Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,7 @@ func (n *Notifier) Dispatch(ctx context.Context, userID uuid.UUID, notification`
`135`	`135`
`136`	`136`	`if len(cleanupSubscriptions) > 0 {`
`137`	`137`	`// nolint:gocritic // These are known to be invalid subscriptions.`
`138`		`- err = n.store.DeleteNotificationPushSubscriptions(dbauthz.AsSystemRestricted(ctx), cleanupSubscriptions)`
	`138`	`+ err = n.store.DeleteNotificationPushSubscriptions(dbauthz.AsNotifier(ctx), cleanupSubscriptions)`
`139`	`139`	`if err != nil {`
`140`	`140`	`n.log.Error(ctx, "failed to delete stale push subscriptions", slog.Error(err))`
`141`	`141`	`}`