@@ -62,6 +62,10 @@ func IsNotAuthorizedError(err error) bool {
6262 if err == nil {
6363 return false
6464 }
65+ if xerrors .Is (err , NoActorError ) {
66+ return true
67+ }
68+
6569 return xerrors .As (err , & NotAuthorizedError {})
6670}
6771
@@ -1338,7 +1342,7 @@ func (q *querier) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID)
13381342func (q * querier ) GetTemplateAppInsights (ctx context.Context , arg database.GetTemplateAppInsightsParams ) ([]database.GetTemplateAppInsightsRow , error ) {
13391343 // Used by TemplateAppInsights endpoint
13401344 // For auditors, check read template_insights, and fall back to update template.
1341- if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); IsNotAuthorizedError ( err ) {
1345+ if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); err != nil {
13421346 for _ , templateID := range arg .TemplateIDs {
13431347 template , err := q .db .GetTemplateByID (ctx , templateID )
13441348 if err != nil {
@@ -1393,7 +1397,7 @@ func (q *querier) GetTemplateDAUs(ctx context.Context, arg database.GetTemplateD
13931397func (q * querier ) GetTemplateInsights (ctx context.Context , arg database.GetTemplateInsightsParams ) (database.GetTemplateInsightsRow , error ) {
13941398 // Used by TemplateInsights endpoint
13951399 // For auditors, check read template_insights, and fall back to update template.
1396- if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); IsNotAuthorizedError ( err ) {
1400+ if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); err != nil {
13971401 for _ , templateID := range arg .TemplateIDs {
13981402 template , err := q .db .GetTemplateByID (ctx , templateID )
13991403 if err != nil {
@@ -1416,7 +1420,7 @@ func (q *querier) GetTemplateInsights(ctx context.Context, arg database.GetTempl
14161420func (q * querier ) GetTemplateInsightsByInterval (ctx context.Context , arg database.GetTemplateInsightsByIntervalParams ) ([]database.GetTemplateInsightsByIntervalRow , error ) {
14171421 // Used by TemplateInsights endpoint
14181422 // For auditors, check read template_insights, and fall back to update template.
1419- if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); IsNotAuthorizedError ( err ) {
1423+ if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); err != nil {
14201424 for _ , templateID := range arg .TemplateIDs {
14211425 template , err := q .db .GetTemplateByID (ctx , templateID )
14221426 if err != nil {
@@ -1447,7 +1451,7 @@ func (q *querier) GetTemplateInsightsByTemplate(ctx context.Context, arg databas
14471451func (q * querier ) GetTemplateParameterInsights (ctx context.Context , arg database.GetTemplateParameterInsightsParams ) ([]database.GetTemplateParameterInsightsRow , error ) {
14481452 // Used by both insights endpoint and prometheus collector.
14491453 // For auditors, check read template_insights, and fall back to update template.
1450- if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); IsNotAuthorizedError ( err ) {
1454+ if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); err != nil {
14511455 for _ , templateID := range arg .TemplateIDs {
14521456 template , err := q .db .GetTemplateByID (ctx , templateID )
14531457 if err != nil {
@@ -1620,7 +1624,7 @@ func (q *querier) GetUnexpiredLicenses(ctx context.Context) ([]database.License,
16201624
16211625func (q * querier ) GetUserActivityInsights (ctx context.Context , arg database.GetUserActivityInsightsParams ) ([]database.GetUserActivityInsightsRow , error ) {
16221626 // Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
1623- if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); IsNotAuthorizedError ( err ) {
1627+ if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); err != nil {
16241628 for _ , templateID := range arg .TemplateIDs {
16251629 template , err := q .db .GetTemplateByID (ctx , templateID )
16261630 if err != nil {
@@ -1657,7 +1661,7 @@ func (q *querier) GetUserCount(ctx context.Context) (int64, error) {
16571661
16581662func (q * querier ) GetUserLatencyInsights (ctx context.Context , arg database.GetUserLatencyInsightsParams ) ([]database.GetUserLatencyInsightsRow , error ) {
16591663 // Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
1660- if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); IsNotAuthorizedError ( err ) {
1664+ if err := q .authorizeContext (ctx , rbac .ActionRead , rbac .ResourceTemplateInsights ); err != nil {
16611665 for _ , templateID := range arg .TemplateIDs {
16621666 template , err := q .db .GetTemplateByID (ctx , templateID )
16631667 if err != nil {
@@ -2266,10 +2270,12 @@ func (q *querier) InsertWorkspaceAgent(ctx context.Context, arg database.InsertW
22662270}
22672271
22682272func (q * querier ) InsertWorkspaceAgentLogSources (ctx context.Context , arg database.InsertWorkspaceAgentLogSourcesParams ) ([]database.WorkspaceAgentLogSource , error ) {
2273+ // TODO: This is used by the agent, should we have an rbac check here?
22692274 return q .db .InsertWorkspaceAgentLogSources (ctx , arg )
22702275}
22712276
22722277func (q * querier ) InsertWorkspaceAgentLogs (ctx context.Context , arg database.InsertWorkspaceAgentLogsParams ) ([]database.WorkspaceAgentLog , error ) {
2278+ // TODO: This is used by the agent, should we have an rbac check here?
22732279 return q .db .InsertWorkspaceAgentLogs (ctx , arg )
22742280}
22752281
0 commit comments