Skip to content

feat: remove "view all users" from members #8447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 6 commits into from
Closed

feat: remove "view all users" from members #8447

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
04a2cae
chore: add owner to resourceUser rbac object
Emyrk Jul 11, 2023
76e724c
chore: templates conditionally return created by
Emyrk Jul 12, 2023
34a0e42
feat: make GetUsers query use sql filter
Emyrk Jul 12, 2023
5802921
Include custom db funcs in gen
Emyrk Jul 12, 2023
a9b7704
feat: implement proper sql filter for users query
Emyrk Jul 12, 2023
8e08055
Merge remote-tracking branch 'origin/main' into stevenmasley/no_read_…
Emyrk Jul 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat: make GetUsers query use sql filter
  • Loading branch information
@Emyrk
Emyrk committed Jul 12, 2023
commit 34a0e42009b87db4fe673a33f3f871e29d857580
33 changes: 19 additions & 14 deletions coderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -620,8 +620,12 @@ func (q *querier) GetAuthorizedUserCount(ctx context.Context, arg database.GetFi
}

func (q *querier) GetUsersWithCount(ctx context.Context, arg database.GetUsersParams) ([]database.User, int64, error) {
// TODO Implement this with a SQL filter. The count is incorrect without it.
rowUsers, err := q.db.GetUsers(ctx, arg)
prep, err := prepareSQLFilter(ctx, q.auth, rbac.ActionRead, rbac.ResourceUser.Type)
if err != nil {
return nil, -1, xerrors.Errorf("failed to prepare sql filter: %w", err)
}

rowUsers, err := q.db.GetAuthorizedUsers(ctx, arg, prep)
if err != nil {
return nil, -1, err
}
Expand All @@ -630,18 +634,8 @@ func (q *querier) GetUsersWithCount(ctx context.Context, arg database.GetUsersPa
return []database.User{}, 0, nil
}

act, ok := ActorFromContext(ctx)
if !ok {
return nil, -1, NoActorError
}

// TODO: Is this correct? Should we return a restricted user?
users := database.ConvertUserRows(rowUsers)
users, err = rbac.Filter(ctx, q.auth, act, rbac.ActionRead, users)
if err != nil {
return nil, -1, err
}

return users, rowUsers[0].Count, nil
}

Expand Down Expand Up @@ -699,6 +693,13 @@ func authorizedTemplateVersionFromJob(ctx context.Context, q *querier, job datab
}
}

// GetAuthorizedUsers is not required for dbauthz since GetUsers is already
// authenticated.
func (q *querier) GetAuthorizedUsers(ctx context.Context, arg database.GetUsersParams, _ rbac.PreparedAuthorized) ([]database.GetUsersRow, error) {
// GetUsers is authenticated.
return q.GetUsers(ctx, arg)
}

func (q *querier) AcquireLock(ctx context.Context, id int64) error {
return q.db.AcquireLock(ctx, id)
}
Expand Down Expand Up @@ -1427,8 +1428,12 @@ func (q *querier) GetUserLinkByUserIDLoginType(ctx context.Context, arg database
}

func (q *querier) GetUsers(ctx context.Context, arg database.GetUsersParams) ([]database.GetUsersRow, error) {
// TODO: We should use GetUsersWithCount with a better method signature.
return fetchWithPostFilter(q.auth, q.db.GetUsers)(ctx, arg)
// This does the filtering in SQL.
prep, err := prepareSQLFilter(ctx, q.auth, rbac.ActionRead, rbac.ResourceUser.Type)
if err != nil {
return nil, xerrors.Errorf("(dev error) prepare sql filter: %w", err)
}
return q.db.GetAuthorizedUsers(ctx, arg, prep)
}

// GetUsersByIDs is only used for usernames on workspace return data.
Expand Down
15 changes: 15 additions & 0 deletions coderd/database/dbmock/dbmock.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

61 changes: 61 additions & 0 deletions coderd/database/modelqueries.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,9 +252,70 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
}

type userQuerier interface {
GetAuthorizedUsers(ctx context.Context, arg GetUsersParams, prepared rbac.PreparedAuthorized) ([]GetUsersRow, error)
GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error)
}

func (q *sqlQuerier) GetAuthorizedUsers(ctx context.Context, arg GetUsersParams, prepared rbac.PreparedAuthorized) ([]GetUsersRow, error) {
authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{
VariableConverter: regosql.UserConverter(),
})

if err != nil {
return nil, xerrors.Errorf("compile authorized filter: %w", err)
}

filtered, err := insertAuthorizedFilter(getUsers, fmt.Sprintf(" AND %s", authorizedFilter))
if err != nil {
return nil, xerrors.Errorf("insert authorized filter: %w", err)
}

query := fmt.Sprintf("-- name: GetAuthorizedUsers :many\n%s", filtered)
rows, err := q.db.QueryContext(ctx, query,
arg.AfterID,
arg.Search,
pq.Array(arg.Status),
pq.Array(arg.RbacRole),
arg.LastSeenBefore,
arg.LastSeenAfter,
arg.OffsetOpt,
arg.LimitOpt,
)
if err != nil {
return nil, err
}
defer rows.Close()
var items []GetUsersRow
for rows.Next() {
var i GetUsersRow
if err := rows.Scan(
&i.ID,
&i.Email,
&i.Username,
&i.HashedPassword,
&i.CreatedAt,
&i.UpdatedAt,
&i.Status,
&i.RBACRoles,
&i.LoginType,
&i.AvatarURL,
&i.Deleted,
&i.LastSeenAt,
&i.Count,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Close(); err != nil {
return nil, err
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}

func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error) {
authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{
VariableConverter: regosql.UserConverter(),
Expand Down
1 change: 1 addition & 0 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions coderd/database/queries/users.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,7 @@ WHERE
ELSE true
END
-- End of filters

ORDER BY
-- Deterministic and consistent ordering of all users. This is to ensure consistent pagination.
LOWER(username) ASC OFFSET @offset_opt
Expand Down
2 changes: 2 additions & 0 deletions site/src/components/Navbar/Navbar.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ export const Navbar: FC = () => {
const canViewAuditLog =
featureVisibility["audit_log"] && Boolean(permissions.viewAuditLog)
const canViewDeployment = Boolean(permissions.viewDeploymentValues)
const canViewUsers = Boolean(permissions.readAllUsers)
const onSignOut = () => authSend("SIGN_OUT")
const proxyContextValue = useProxy()
const dashboard = useDashboard()
Expand All @@ -29,6 +30,7 @@ export const Navbar: FC = () => {
onSignOut={onSignOut}
canViewAuditLog={canViewAuditLog}
canViewDeployment={canViewDeployment}
canViewUsers={canViewUsers}
proxyContextValue={
dashboard.experiments.includes("moons") ? proxyContextValue : undefined
}
Expand Down
8 changes: 8 additions & 0 deletions site/src/components/Navbar/NavbarView.test.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog
canViewDeployment
canViewUsers
/>,
)
const workspacesLink = await screen.findByText(navLanguage.workspaces)
Expand All @@ -62,6 +63,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog
canViewDeployment
canViewUsers
/>,
)
const templatesLink = await screen.findByText(navLanguage.templates)
Expand All @@ -76,6 +78,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog
canViewDeployment
canViewUsers
/>,
)
const userLink = await screen.findByText(navLanguage.users)
Expand All @@ -98,6 +101,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog
canViewDeployment
canViewUsers
/>,
)

Expand All @@ -115,6 +119,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog
canViewDeployment
canViewUsers
/>,
)
const auditLink = await screen.findByText(navLanguage.audit)
Expand All @@ -129,6 +134,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog={false}
canViewDeployment
canViewUsers
/>,
)
const auditLink = screen.queryByText(navLanguage.audit)
Expand All @@ -143,6 +149,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog
canViewDeployment
canViewUsers
/>,
)
const auditLink = await screen.findByText(navLanguage.deployment)
Expand All @@ -159,6 +166,7 @@ describe("NavbarView", () => {
onSignOut={noop}
canViewAuditLog={false}
canViewDeployment={false}
canViewUsers={false}
/>,
)
const auditLink = screen.queryByText(navLanguage.deployment)
Expand Down
10 changes: 8 additions & 2 deletions site/src/components/Navbar/NavbarView.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,15 @@ export interface NavbarViewProps {
onSignOut: () => void
canViewAuditLog: boolean
canViewDeployment: boolean
canViewUsers: boolean
proxyContextValue?: ProxyContextValue
}

export const Language = {
workspaces: "Workspaces",
templates: "Templates",
users: "Users",
groups: "Groups",
audit: "Audit",
deployment: "Deployment",
}
Expand All @@ -52,8 +54,9 @@ const NavItems: React.FC<
className?: string
canViewAuditLog: boolean
canViewDeployment: boolean
canViewUsers: boolean
}>
> = ({ className, canViewAuditLog, canViewDeployment }) => {
> = ({ className, canViewAuditLog, canViewUsers, canViewDeployment }) => {
const styles = useStyles()
const location = useLocation()

Expand All @@ -77,7 +80,7 @@ const NavItems: React.FC<
</ListItem>
<ListItem button className={styles.item}>
<NavLink className={styles.link} to={USERS_LINK}>
{Language.users}
{canViewUsers ? Language.users : Language.groups}
</NavLink>
</ListItem>
{canViewAuditLog && (
Expand Down Expand Up @@ -105,6 +108,7 @@ export const NavbarView: FC<NavbarViewProps> = ({
onSignOut,
canViewAuditLog,
canViewDeployment,
canViewUsers,
proxyContextValue,
}) => {
const styles = useStyles()
Expand Down Expand Up @@ -142,6 +146,7 @@ export const NavbarView: FC<NavbarViewProps> = ({
<NavItems
canViewAuditLog={canViewAuditLog}
canViewDeployment={canViewDeployment}
canViewUsers={canViewUsers}
/>
</div>
</Drawer>
Expand All @@ -158,6 +163,7 @@ export const NavbarView: FC<NavbarViewProps> = ({
className={styles.desktopNavItems}
canViewAuditLog={canViewAuditLog}
canViewDeployment={canViewDeployment}
canViewUsers={canViewUsers}
/>

<Box
Expand Down