Skip to content

bug: attempting to update quiet hours as a user results in an RBAC error (and a 500) #10482

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sreya opened this issue Nov 2, 2023 · 0 comments · Fixed by #10547
Closed

bug: attempting to update quiet hours as a user results in an RBAC error (and a 500) #10482

sreya opened this issue Nov 2, 2023 · 0 comments · Fixed by #10547
Assignees
@deansheather
Labels
s1 Bugs that break core workflows. Only humans may set this.

Comments

@sreya
Copy link
Collaborator

sreya commented Nov 2, 2023
edited by deansheather
Loading

It should obviously not result in an RBAC error and we should be returning a 403 not a 500

2023-11-02 00:28:37.531 [info]  coderd: audit_log  ID=20c321f2-e9d1-4a33-8972-edc3564d233a  Time="2023-11-02T00:28:37.525916Z"  UserID=011ce9a6-480b-4a2c-a49e-7be0d7570b97  OrganizationID=00000000-0000-0000-0000-000000000000  Ip=10.0.101.64  UserAgent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0"  ResourceType=user  ResourceID=011ce9a6-480b-4a2c-a49e-7be0d7570b97  ResourceTarget=  Action=write  Diff="{}"  StatusCode=500  AdditionalFields="{}"  RequestID=8e952963-f58f-41a5-ab46-5bea553b64ad  ResourceIcon=""  actor="&{ID:011ce9a6-480b-4a2c-a49e-7be0d7570b97 Email: Username:}"
2023-11-02 00:28:37.531 [warn]  coderd: PUT  host=  path=/api/v2/users/011ce9a6-480b-4a2c-a49e-7be0d7570b97/quiet-hours  proto=HTTP/2.0  remote_addr=10.0.101.64  start="2023-11-02T00:28:37.51739605Z"  took=14.483848ms  status_code=500  latency_ms=14  response_body="{\"message\":\"An internal server error occurred.\",\"detail\":\"update user quiet hours schedule: unauthorized: rbac: forbidden\"}\n"  request_id=8e952963-f58f-41a5-ab46-5bea553b64ad

EDIT @spikecurtis | The HTTP status to return when a user has insufficient permission is 403 Forbidden, not 401 Unauthorized (which actually refers to an authentication failure, despite its confusing name)
@cdr-bot cdr-bot bot added the bug label Nov 2, 2023
@sreya sreya added the s1 Bugs that break core workflows. Only humans may set this. label Nov 2, 2023
@deansheather deansheather mentioned this issue Nov 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@deansheather deansheather

Labels
s1 Bugs that break core workflows. Only humans may set this.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: allow users to use quiet hours endpoint coder/coder
2 participants
@sreya @deansheather