From 8befe8580525e665e01d066ae458f430bf06a0b5 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Mon, 20 Mar 2023 10:02:49 +0000 Subject: [PATCH] bug: dbauthz: fix RBAC call for GetTemplateVersionVariables --- coderd/database/dbauthz/querier.go | 2 +- coderd/database/dbauthz/querier_test.go | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/coderd/database/dbauthz/querier.go b/coderd/database/dbauthz/querier.go index 4de696222a828..5c70e8e244526 100644 --- a/coderd/database/dbauthz/querier.go +++ b/coderd/database/dbauthz/querier.go @@ -735,7 +735,7 @@ func (q *querier) GetTemplateVersionVariables(ctx context.Context, templateVersi object = tv.RBACObject(template) } - if err := q.authorizeContext(ctx, rbac.ActionCreate, object); err != nil { + if err := q.authorizeContext(ctx, rbac.ActionRead, object); err != nil { return nil, err } return q.db.GetTemplateVersionVariables(ctx, templateVersionID) diff --git a/coderd/database/dbauthz/querier_test.go b/coderd/database/dbauthz/querier_test.go index f31ec4876d000..cb746cb81d514 100644 --- a/coderd/database/dbauthz/querier_test.go +++ b/coderd/database/dbauthz/querier_test.go @@ -599,6 +599,16 @@ func (s *MethodTestSuite) TestTemplate() { }) check.Args(tv.ID).Asserts(t1, rbac.ActionRead).Returns([]database.TemplateVersionParameter{}) })) + s.Run("GetTemplateVersionVariables", s.Subtest(func(db database.Store, check *expects) { + t1 := dbgen.Template(s.T(), db, database.Template{}) + tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{ + TemplateID: uuid.NullUUID{UUID: t1.ID, Valid: true}, + }) + tvv1 := dbgen.TemplateVersionVariable(s.T(), db, database.TemplateVersionVariable{ + TemplateVersionID: tv.ID, + }) + check.Args(tv.ID).Asserts(t1, rbac.ActionRead).Returns([]database.TemplateVersionVariable{tvv1}) + })) s.Run("GetTemplateGroupRoles", s.Subtest(func(db database.Store, check *expects) { t1 := dbgen.Template(s.T(), db, database.Template{}) check.Args(t1.ID).Asserts(t1, rbac.ActionRead)