8000 chore: filter out invalid permissions on custom role push · coder/coder@1abff51 · GitHub
[go: up one dir, main page]
Skip to content

Commit 1abff51

Browse files
EmyrkEmyrk
committed
chore: filter out invalid permissions on custom role push
1 parent 0e0cd23 commit 1abff51

File tree

2 files changed

+25
-8
lines changed

2 files changed

+25
-8
lines changed

enterprise/coderd/roles.go

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -147,9 +147,13 @@ func (api *API) putOrgRoles(rw http.ResponseWriter, r *http.Request) {
147147
UUID: organization.ID,
148148
Valid: true,
149149
},
150-
SitePermissions: db2sdk.List(req.SitePermissions, sdkPermissionToDB),
151-
OrgPermissions: db2sdk.List(req.OrganizationPermissions, sdkPermissionToDB),
152-
UserPermissions: db2sdk.List(req.UserPermissions, sdkPermissionToDB),
150+
// Invalid permissions are filtered out. If this is changed
151+
// to throw an error, then the story of a previously valid role
152+
// now being invalid has to be addressed. Coder can change permissions,
153+
// objects, and actions at any time.
154+
SitePermissions: db2sdk.List(filterInvalidPermissions(req.SitePermissions), sdkPermissionToDB),
155+
OrgPermissions: db2sdk.List(filterInvalidPermissions(req.OrganizationPermissions), sdkPermissionToDB),
156+
UserPermissions: db2sdk.List(filterInvalidPermissions(req.UserPermissions), sdkPermissionToDB),
153157
})
154158
if httpapi.Is404Error(err) {
155159
httpapi.ResourceNotFound(rw)
@@ -247,6 +251,24 @@ func (api *API) deleteOrgRole(rw http.ResponseWriter, r *http.Request) {
247251
httpapi.Write(ctx, rw, http.StatusNoContent, nil)
248252
}
249253

254+
func filterInvalidPermissions(permissions []codersdk.Permission) []codersdk.Permission {
255+
// Filter out any invalid permissions
256+
var validPermissions []codersdk.Permission
257+
for _, permission := range permissions {
258+
err := (&rbac.Permission{
259+
Negate: permission.Negate,
260+
ResourceType: string(permission.ResourceType),
261+
Action: policy.Action(permission.Action),
262+
}).Valid()
263+
if err == nil {
264+
validPermissions = append(validPermissions, permission)
265+
} else {
266+
fmt.Println(err.Error())
267+
}
268+
}
269+
return validPermissions
270+
}
271+
250272
func sdkPermissionToDB(p codersdk.Permission) database.CustomRolePermission {
251273
return database.CustomRolePermission{
252274
Negate: p.Negate,

site/src/pages/UsersPage/storybookData/roles.ts

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -101,11 +101,6 @@ export const MockRoles: (AssignableRoles | Role)[] = [
101101
resource_type: "provisioner_daemon",
102102
action: "*" as RBACAction,
103103
},
104-
{
105-
negate: false,
106-
resource_type: "provisioner_keys",
107-
action: "*" as RBACAction,
108-
},
109104
{
110105
negate: false,
111106
resource_type: "replicas",

0 commit comments

Comments
 (0)
0