Skip to content

Commit f34c61b

Browse files
johnstcnjohnstcn
committed
fixup! authzquery: implement group and system methods
1 parent b7cd5a5 commit f34c61b

File tree

1 file changed

+6
-13
lines changed

1 file changed

+6
-13
lines changed

coderd/authzquery/group.go

Lines changed: 6 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -3,11 +3,10 @@ package authzquery
33
import (
44
"context"
55

6-
"github.com/coder/coder/coderd/rbac"
7-
86
"github.com/google/uuid"
97

108
"github.com/coder/coder/coderd/database"
9+
"github.com/coder/coder/coderd/rbac"
1110
)
1211

1312
func (q *AuthzQuerier) DeleteGroupByID(ctx context.Context, id uuid.UUID) error {
@@ -34,9 +33,8 @@ func (q *AuthzQuerier) InsertUserGroupsByName(ctx context.Context, arg database.
3433

3534
func (q *AuthzQuerier) DeleteGroupMembersByOrgAndUser(ctx context.Context, arg database.DeleteGroupMembersByOrgAndUserParams) error {
3635
// This will remove the user from all groups in the org. This counts as updating a group.
37-
// Authorizing this 100% correctly requires fetching all groups in the org, and checking if the user is a member.
38-
// If so, we then need to check if the caller has permission to update those groups.
39-
// This is prohibitively expensive, so we instead check if the caller has permission to update *a* group in the org.
36+
// NOTE: instead of fetching all groups in the org with arg.UserID as a member, we instead
37+
// check if the caller has permission to update any group in the org.
4038
fetch := func(ctx context.Context, arg database.DeleteGroupMembersByOrgAndUserParams) (rbac.Objecter, error) {
4139
return rbac.ResourceGroup.InOrg(arg.OrganizationID), nil
4240
}
@@ -52,15 +50,10 @@ func (q *AuthzQuerier) GetGroupByOrgAndName(ctx context.Context, arg database.Ge
5250
}
5351

5452
func (q *AuthzQuerier) GetGroupMembers(ctx context.Context, groupID uuid.UUID) ([]database.User, error) {
55-
group, err := q.database.GetGroupByID(ctx, groupID)
56-
if err != nil {
57-
return nil, err
53+
relatedFunc := func(_ []database.User, groupID uuid.UUID) (database.Group, error) {
54+
return q.database.GetGroupByID(ctx, groupID)
5855
}
59-
if err := q.authorizeContext(ctx, rbac.ActionRead, group); err != nil {
60-
return nil, err
61-
}
62-
63-
return q.database.GetGroupMembers(ctx, groupID)
56+
return authorizedQueryWithRelated(q.logger, q.authorizer, rbac.ActionRead, relatedFunc, q.database.GetGroupMembers)(ctx, groupID)
6457
}
6558

6659
func (q *AuthzQuerier) InsertAllUsersGroup(ctx context.Context, organizationID uuid.UUID) (database.Group, error) {

0 commit comments

Comments
 (0)