Skip to content

bug: attempting to update quiet hours as a user results in an RBAC error (and a 500) #10482

New issue
New issue
Closed
#10547
Closed
bug: attempting to update quiet hours as a user results in an RBAC error (and a 500)#10482
#10547
Assignees
deansheather
Labels
s1Bugs that break core workflows. Only humans may set this.
@sreya

Description

@sreya
sreya
opened on Nov 2, 2023

It should obviously not result in an RBAC error and we should be returning a 403 not a 500

2023-11-02 00:28:37.531 [info]  coderd: audit_log  ID=20c321f2-e9d1-4a33-8972-edc3564d233a  Time="2023-11-02T00:28:37.525916Z"  UserID=011ce9a6-480b-4a2c-a49e-7be0d7570b97  OrganizationID=00000000-0000-0000-0000-000000000000  Ip=10.0.101.64  UserAgent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"  ResourceType=user  ResourceID=011ce9a6-480b-4a2c-a49e-7be0d7570b97  ResourceTarget=  Action=write  Diff="{}"  StatusCode=500  AdditionalFields="{}"  RequestID=8e952963-f58f-41a5-ab46-5bea553b64ad  ResourceIcon=""  actor="&{ID:011ce9a6-480b-4a2c-a49e-7be0d7570b97 Email: Username:}"
2023-11-02 00:28:37.531 [warn]  coderd: PUT  host=  path=/api/v2/users/011ce9a6-480b-4a2c-a49e-7be0d7570b97/quiet-hours  proto=HTTP/2.0  remote_addr=10.0.101.64  start="2023-11-02T00:28:37.51739605Z"  took=14.483848ms  status_code=500  latency_ms=14  response_body="{\"message\":\"An internal server error occurred.\",\"detail\":\"update user quiet hours schedule: unauthorized: rbac: forbidden\"}\n"  request_id=8e952963-f58f-41a5-ab46-5bea553b64ad

EDIT @spikecurtis | The HTTP status to return when a user has insufficient permission is 403 Forbidden, not 401 Unauthorized (which actually refers to an authentication failure, despite its confusing name)

Metadata

Metadata

Assignees

Labels

s1Bugs that break core workflows. Only humans may set this.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions