Skip to content

feat: Return more 404s vs 403s #2194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 16 commits into from
Jun 14, 2022
Merged

feat: Return more 404s vs 403s #2194

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
a92f132
feat: Return more 404s vs 403s
Emyrk Jun 8, 2022
4e23ea7
Fix unit test assertion
Emyrk Jun 8, 2022
0562d2c
return 404 when member of org not found
Emyrk Jun 9, 2022
c7f976e
fixup! return 404 when member of org not found
Emyrk Jun 9, 2022
6ef1647
chore: Manually forbidden after Authorize
Emyrk Jun 10, 2022
8f90af4
Use %q over %s
Emyrk Jun 10, 2022
a6d15ed
Fix authoirze test
Emyrk Jun 10, 2022
815baf9
Return vague 404
Emyrk Jun 10, 2022
3f742ba
Merge remote-tracking branch 'origin/main' into stevenmasley/404_vs_403
Emyrk Jun 10, 2022
8bfe1f7
fix test assert
Emyrk Jun 10, 2022
7155b2e
Merge remote-tracking branch 'origin/main' into stevenmasley/404_vs_403
Emyrk Jun 10, 2022
7aa76f7
Fix compile issue
Emyrk Jun 10, 2022
3f07738
Modify 404 message
Emyrk Jun 10, 2022
9a40838
Merge remote-tracking branch 'origin/main' into stevenmasley/404_vs_403
Emyrk Jun 13, 2022
2c1ac1c
Use proper 404s
Emyrk Jun 13, 2022
93c04db
If cannot read user, return 404
Emyrk Jun 13, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Merge remote-tracking branch 'origin/main' into stevenmasley/404_vs_403
  • Loading branch information
@Emyrk
Emyrk committed Jun 10, 2022
commit 3f742ba04c88c2e72783033c751af6b58e38294f
13 changes: 3 additions & 10 deletions coderd/httpmw/templateparam.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import (
"context"
"database/sql"
"errors"
"fmt"
"net/http"

"github.com/go-chi/chi/v5"
Expand Down Expand Up @@ -33,10 +32,9 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler {
return
}
template, err := db.GetTemplateByID(r.Context(), templateID)
if errors.Is(err, sql.ErrNoRows) {
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Message: fmt.Sprintf("Template %q does not exist.", templateID),
})
if errors.Is(err, sql.ErrNoRows) || (err == nil && template.Deleted) {
httpapi.ResourceNotFound(rw)
return
}
if err != nil {
httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
Expand All @@ -46,11 +44,6 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler {
return
}

if template.Deleted {
httpapi.ResourceNotFound(rw)
return
}

ctx := context.WithValue(r.Context(), templateParamContextKey{}, template)
chi.RouteContext(ctx).URLParams.Add("organization", template.OrganizationID.String())
next.ServeHTTP(rw, r.WithContext(ctx))
Expand Down
3 changes: 2 additions & 1 deletion coderd/users.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -418,7 +418,8 @@ func (api *API) putUserPassword(rw http.ResponseWriter, r *http.Request) {

// admins can change passwords without sending old_password
if params.OldPassword == "" {
if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) {
if !api.Authorize(r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as an aside, it is very unintuitive to me that this check should fail for my own user.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not? There is ResourceUser and ResourceUserData. The former cannot be edited by "me"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess that's just it. Why can't I edit my own "ResourceUser" resource? The code says

	// ResourceUser is the user in the 'users' table.
	// ResourceUser never has any owners or in an org, as it's site wide.
	// 	create/delete = make or delete a new user.
	// 	read = view all 'user' table data
	// 	update = update all 'user' table data
	ResourceUser = Object{
		Type: "user",
	}

Things like email and password are in the users table, and users can change them, no?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea, I need to fix that comment. The comment is incorrect as I since placed email as a ResourceUserData. There was some thrashing there and now the comment is stale.

My mistake

httpapi.Forbidden(rw)
return
}
} else {
Expand Down
9 changes: 6 additions & 3 deletions coderd/workspaceagents.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@ import (
func (api *API) workspaceAgent(rw http.ResponseWriter, r *http.Request) {
workspaceAgent := httpmw.WorkspaceAgentParam(r)
workspace := httpmw.WorkspaceParam(r)
if !api.Authorize(rw, r, rbac.ActionRead, workspace) {
if !api.Authorize(r, rbac.ActionRead, workspace) {
httpapi.ResourceNotFound(rw)
return
}
dbApps, err := api.Database.GetWorkspaceAppsByAgentID(r.Context(), workspaceAgent.ID)
Expand Down Expand Up @@ -64,7 +65,8 @@ func (api *API) workspaceAgentDial(rw http.ResponseWriter, r *http.Request) {

workspaceAgent := httpmw.WorkspaceAgentParam(r)
workspace := httpmw.WorkspaceParam(r)
if !api.Authorize(rw, r, rbac.ActionUpdate, workspace) {
if !api.Authorize(r, rbac.ActionUpdate, workspace) {
httpapi.ResourceNotFound(rw)
return
}
apiAgent, err := convertWorkspaceAgent(workspaceAgent, nil, api.AgentConnectionUpdateFrequency)
Expand Down Expand Up @@ -379,7 +381,8 @@ func (api *API) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {

workspaceAgent := httpmw.WorkspaceAgentParam(r)
workspace := httpmw.WorkspaceParam(r)
if !api.Authorize(rw, r, rbac.ActionUpdate, workspace) {
if !api.Authorize(r, rbac.ActionUpdate, workspace) {
httpapi.ResourceNotFound(rw)
return
}
apiAgent, err := convertWorkspaceAgent(workspaceAgent, nil, api.AgentConnectionUpdateFrequency)
Expand Down
8 changes: 3 additions & 5 deletions coderd/workspacebuilds.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,9 +179,7 @@ func (api *API) workspaceBuildByBuildNumber(rw http.ResponseWriter, r *http.Requ
Name: workspaceName,
})
if errors.Is(err, sql.ErrNoRows) {
httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
Message: fmt.Sprintf("Workspace %q does not exist.", workspaceName),
})
httpapi.ResourceNotFound(rw)
return
}
if err != nil {
Expand All @@ -192,8 +190,8 @@ func (api *API) workspaceBuildByBuildNumber(rw http.ResponseWriter, r *http.Requ
return
}

if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceWorkspace.
InOrg(workspace.OrganizationID).WithOwner(workspace.OwnerID.String()).WithID(workspace.ID.String())) {
if !api.Authorize(r, rbac.ActionRead, workspace) {
httpapi.ResourceNotFound(rw)
return
}

Expand Down
2 changes: 1 addition & 1 deletion coderd/workspaces_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,7 +293,7 @@ func TestWorkspaceByOwnerAndName(t *testing.T) {

// Then:
// When we call without includes_deleted, we don't expect to get the workspace back
_, err = client.WorkspaceByOwnerAndName(context.Background(), workspace.OwnerName, workspace.Name, codersdk.WorkspaceByOwnerAndNameParams{})
_, err = client.WorkspaceByOwnerAndName(context.Background(), workspace.OwnerName, workspace.Name, codersdk.WorkspaceOptions{})
require.ErrorContains(t, err, "404")

// Then:
Expand Down
You are viewing a condensed version of this merge commit. You can view the full changes here.