Plumb through WithID on rbac objects (complete)

Emyrk · Emyrk · commit a9cf8f48fe56 · 2023-01-18T14:48:05.000-06:00
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -83,11 +83,15 @@ func (f File) RBACObject() rbac.Object {
 
 // RBACObject returns the RBAC object for the site wide user resource.
 // If you are trying to get the RBAC object for the UserData, use
-// rbac.ResourceUserData
+// u.UserDataRBACObject() instead.
 func (u User) RBACObject() rbac.Object {
 	return rbac.ResourceUser.WithID(u.ID)
 }
 
+func (u User) UserDataRBACObject() rbac.Object {
+	return rbac.ResourceUser.WithID(u.ID).WithOwner(u.ID.String())
+}
+
 func (License) RBACObject() rbac.Object {
 	return rbac.ResourceLicense
 }
diff --git a/coderd/gitsshkey.go b/coderd/gitsshkey.go
@@ -34,7 +34,7 @@ func (api *API) regenerateGitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	)
 	defer commitAudit()
 
-	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+	if !api.Authorize(r, rbac.ActionUpdate, user.UserDataRBACObject()) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -93,7 +93,7 @@ func (api *API) gitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
 
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+	if !api.Authorize(r, rbac.ActionRead, user.UserDataRBACObject()) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
diff --git a/coderd/users.go b/coderd/users.go
@@ -416,7 +416,7 @@ func (api *API) userByName(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 	organizationIDs, err := userOrganizationIDs(ctx, api, user)
 
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUser) {
+	if !api.Authorize(r, rbac.ActionRead, user) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -457,7 +457,7 @@ func (api *API) putUserProfile(rw http.ResponseWriter, r *http.Request) {
 	defer commitAudit()
 	aReq.Old = user
 
-	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUser) {
+	if !api.Authorize(r, rbac.ActionUpdate, user) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -563,7 +563,7 @@ func (api *API) putUserStatus(status database.UserStatus) func(rw http.ResponseW
 		defer commitAudit()
 		aReq.Old = user
 
-		if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceUser) {
+		if !api.Authorize(r, rbac.ActionDelete, user) {
 			httpapi.ResourceNotFound(rw)
 			return
 		}
@@ -640,7 +640,7 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
 	defer commitAudit()
 	aReq.Old = user
 
-	if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+	if !api.Authorize(r, rbac.ActionUpdate, user.UserDataRBACObject()) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -665,7 +665,7 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {
 
 	// admins can change passwords without sending old_password
 	if params.OldPassword == "" {
-		if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUser) {
+		if !api.Authorize(r, rbac.ActionUpdate, user) {
 			httpapi.Forbidden(rw)
 			return
 		}
@@ -753,7 +753,7 @@ func (api *API) userRoles(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	user := httpmw.UserParam(r)
 
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+	if !api.Authorize(r, rbac.ActionRead, user.UserDataRBACObject()) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -832,7 +832,7 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUser) {
+	if !api.Authorize(r, rbac.ActionRead, user) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
diff --git a/enterprise/coderd/workspacequota.go b/enterprise/coderd/workspacequota.go
@@ -110,7 +110,7 @@ func (c *committer) CommitQuota(
 func (api *API) workspaceQuota(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
-	if !api.AGPL.Authorize(r, rbac.ActionRead, rbac.ResourceUser) {
+	if !api.AGPL.Authorize(r, rbac.ActionRead, user) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ func (api API) regenerateGitSSHKey(rw http.ResponseWriter, r http.Request) {`
`34`	`34`	`)`
`35`	`35`	`defer commitAudit()`
`36`	`36`
`37`		`- if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {`
	`37`	`+ if !api.Authorize(r, rbac.ActionUpdate, user.UserDataRBACObject()) {`
`38`	`38`	`httpapi.ResourceNotFound(rw)`
`39`	`39`	`return`
`40`	`40`	`}`
`@@ -93,7 +93,7 @@ func (api API) gitSSHKey(rw http.ResponseWriter, r http.Request) {`
`93`	`93`	`ctx := r.Context()`
`94`	`94`	`user := httpmw.UserParam(r)`
`95`	`95`
`96`		`- if !api.Authorize(r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {`
	`96`	`+ if !api.Authorize(r, rbac.ActionRead, user.UserDataRBACObject()) {`
`97`	`97`	`httpapi.ResourceNotFound(rw)`
`98`	`98`	`return`
`99`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ func (c *committer) CommitQuota(`
`110`	`110`	`func (api API) workspaceQuota(rw http.ResponseWriter, r http.Request) {`
`111`	`111`	`user := httpmw.UserParam(r)`
`112`	`112`
`113`		`- if !api.AGPL.Authorize(r, rbac.ActionRead, rbac.ResourceUser) {`
	`113`	`+ if !api.AGPL.Authorize(r, rbac.ActionRead, user) {`
`114`	`114`	`httpapi.ResourceNotFound(rw)`
`115`	`115`	`return`
`116`	`116`	`}`