Skip to content

Commit 11d8c0a

Browse files
kacpersawkacpersaw
committed
Apply a new authorization check for GetProvisionerJobByIDForUpdate
1 parent c800494 commit 11d8c0a

File tree

2 files changed

+26
-12
lines changed

2 files changed

+26
-12
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 25 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2439,38 +2439,51 @@ func (q *querier) GetProvisionerDaemonsWithStatusByOrganization(ctx context.Cont
24392439
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetProvisionerDaemonsWithStatusByOrganization)(ctx, arg)
24402440
}
24412441

2442-
func (q *querier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
2443-
job, err := q.db.GetProvisionerJobByID(ctx, id)
2444-
if err != nil {
2445-
return database.ProvisionerJob{}, err
2446-
}
2447-
2442+
func (q *querier) authorizeProvisionerJob(ctx context.Context, job database.ProvisionerJob) error {
24482443
switch job.Type {
24492444
case database.ProvisionerJobTypeWorkspaceBuild:
24502445
// Authorized call to get workspace build. If we can read the build, we
24512446
// can read the job.
2452-
_, err := q.GetWorkspaceBuildByJobID(ctx, id)
2447+
_, err := q.GetWorkspaceBuildByJobID(ctx, job.ID)
24532448
if err != nil {
2454-
return database.ProvisionerJob{}, xerrors.Errorf("fetch related workspace build: %w", err)
2449+
return xerrors.Errorf("fetch related workspace build: %w", err)
24552450
}
24562451
case database.ProvisionerJobTypeTemplateVersionDryRun, database.ProvisionerJobTypeTemplateVersionImport:
24572452
// Authorized call to get template version.
24582453
_, err := authorizedTemplateVersionFromJob(ctx, q, job)
24592454
if err != nil {
2460-
return database.ProvisionerJob{}, xerrors.Errorf("fetch related template version: %w", err)
2455+
return xerrors.Errorf("fetch related template version: %w", err)
24612456
}
24622457
default:
2463-
return database.ProvisionerJob{}, xerrors.Errorf("unknown job type: %q", job.Type)
2458+
return xerrors.Errorf("unknown job type: %q", job.Type)
2459+
}
2460+
return nil
2461+
}
2462+
2463+
func (q *querier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
2464+
job, err := q.db.GetProvisionerJobByID(ctx, id)
2465+
if err != nil {
2466+
return database.ProvisionerJob{}, err
2467+
}
2468+
2469+
if err := q.authorizeProvisionerJob(ctx, job); err != nil {
2470+
return database.ProvisionerJob{}, err
24642471
}
24652472

24662473
return job, nil
24672474
}
24682475

24692476
func (q *querier) GetProvisionerJobByIDForUpdate(ctx context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
2470-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2477+
job, err := q.db.GetProvisionerJobByIDForUpdate(ctx, id)
2478+
if err != nil {
2479+
return database.ProvisionerJob{}, err
2480+
}
2481+
2482+
if err := q.authorizeProvisionerJob(ctx, job); err != nil {
24712483
return database.ProvisionerJob{}, err
24722484
}
2473-
return q.db.GetProvisionerJobByIDForUpdate(ctx, id)
2485+
2486+
return job, nil
24742487
}
24752488

24762489
func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uuid.UUID) ([]database.ProvisionerJobTiming, error) {

codersdk/workspacebuilds.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,7 @@ const (
131131
)
132132

133133
type CancelWorkspaceBuildParams struct {
134+
// ExpectStatus ensures the build is in the expected status before canceling.
134135
ExpectStatus CancelWorkspaceBuildStatus `json:"expect_status,omitempty"`
135136
}
136137

0 commit comments

Comments
 (0)