Skip to content

Commit 4ee53e2

Browse files
SasSwartSasSwart
committed
prevent creation and modification of system users
1 parent 3bbe40e commit 4ee53e2

File tree

4 files changed

+47
-0
lines changed

4 files changed

+47
-0
lines changed

coderd/database/dump.sql

Lines changed: 15 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/migrations/000302_prebuilds.down.sql

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,11 @@ DROP VIEW IF EXISTS workspace_prebuild_builds;
33
DROP VIEW IF EXISTS workspace_prebuilds;
44
DROP VIEW IF EXISTS workspace_latest_build;
55

6+
-- Undo the restriction on deleting system users
7+
DROP TRIGGER IF EXISTS prevent_system_user_updates ON users;
8+
DROP TRIGGER IF EXISTS prevent_system_user_deletions ON users;
9+
DROP FUNCTION IF EXISTS prevent_system_user_changes();
10+
611
-- Revert user operations
712
-- c42fdf75-3097-471c-8c33-fb52454d81c0 is the identifier for the system user responsible for prebuilds.
813
DELETE FROM user_status_changes WHERE user_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0';

coderd/database/migrations/000302_prebuilds.up.sql

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,32 @@ INSERT INTO users (id, email, username, name, created_at, updated_at, status, rb
33
VALUES ('c42fdf75-3097-471c-8c33-fb52454d81c0', 'prebuilds@system', 'prebuilds', 'Prebuilds Owner', now(), now(),
44
'active', '{}', 'none', true);
55

6+
-- Create function to check system user modifications
7+
CREATE OR REPLACE FUNCTION prevent_system_user_changes()
8+
RETURNS TRIGGER AS
9+
$$
10+
BEGIN
11+
IF OLD.is_system = true THEN
12+
RAISE EXCEPTION 'Cannot modify or delete system users';
13+
END IF;
14+
RETURN OLD;
15+
END;
16+
$$ LANGUAGE plpgsql;
17+
18+
-- Create trigger to prevent updates to system users
19+
CREATE TRIGGER prevent_system_user_updates
20+
BEFORE UPDATE ON users
21+
FOR EACH ROW
22+
WHEN (OLD.is_system = true)
23+
EXECUTE FUNCTION prevent_system_user_changes();
24+
25+
-- Create trigger to prevent deletion of system users
26+
CREATE TRIGGER prevent_system_user_deletions
27+
BEFORE DELETE ON users
28+
FOR EACH ROW
29+
WHEN (OLD.is_system = true)
30+
EXECUTE FUNCTION prevent_system_user_changes();
31+
632
-- TODO: do we *want* to use the default org here? how do we handle multi-org?
733
WITH default_org AS (SELECT id
834
FROM organizations

enterprise/coderd/groups_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -823,6 +823,7 @@ func TestGroup(t *testing.T) {
823823

824824
t.Run("everyoneGroupReturnsEmpty", func(t *testing.T) {
825825
// TODO (sasswart): this test seems to have drifted from its original intention. evaluate and remove/fix
826+
// "everyone group returns empty", but it returns 5 members?
826827
t.Parallel()
827828

828829
// TODO: we should not be returning the prebuilds user in Group, and this is not returned in dbmem.

0 commit comments

Comments
 (0)