MCPcopy Index your code
hub / github.com/coder/coder / checkAuthorization

Method checkAuthorization

coderd/authorize.go:169–271  ·  view source on GitHub ↗

checkAuthorization returns if the current API key can use the given permissions, factoring in the current user's roles and the API key scopes. @Summary Check authorization @ID check-authorization @Security CoderSessionToken @Accept json @Produce json @Tags Authorization @Param request body codersdk

(rw http.ResponseWriter, r *http.Request)

Source from the content-addressed store, hash-verified

167// @Success 200 {object} codersdk.AuthorizationResponse
168// @Router /api/v2/authcheck [post]
169func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
170 ctx := r.Context()
171 auth := httpmw.UserAuthorization(r.Context())
172
173 var params codersdk.AuthorizationRequest
174 if !httpapi.Read(ctx, rw, r, &params) {
175 return
176 }
177
178 api.Logger.Debug(ctx, "check-auth",
179 slog.F("my_id", httpmw.APIKey(r).UserID),
180 slog.F("got_id", auth.ID),
181 slog.F("name", auth),
182 slog.F("roles", auth.SafeRoleNames()),
183 slog.F("scope", auth.SafeScopeName()),
184 )
185
186 response := make(codersdk.AuthorizationResponse)
187 // Prevent using too many resources by ID. This prevents database abuse
188 // from this endpoint. This also prevents misuse of this endpoint, as
189 // resource_id should be used for single objects, not for a list of them.
190 var (
191 idFetch int
192 maxFetch = 10
193 )
194 for _, v := range params.Checks {
195 if v.Object.ResourceID != "" {
196 idFetch++
197 }
198 }
199 if idFetch > maxFetch {
200 httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
201 Message: fmt.Sprintf(
202 "Endpoint only supports using \"resource_id\" field %d times, found %d usages. Remove %d objects with this field set.",
203 maxFetch, idFetch, idFetch-maxFetch,
204 ),
205 })
206 return
207 }
208
209 for k, v := range params.Checks {
210 if v.Object.ResourceType == "" {
211 httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
212 Message: fmt.Sprintf("Object's \"resource_type\" field must be defined for key %q.", k),
213 })
214 return
215 }
216
217 obj := rbac.Object{
218 Owner: v.Object.OwnerID,
219 OrgID: v.Object.OrganizationID,
220 Type: string(v.Object.ResourceType),
221 AnyOrgOwner: v.Object.AnyOrgOwner,
222 }
223 if obj.Owner == codersdk.Me {
224 obj.Owner = auth.ID
225 }
226

Callers 9

fetchTemplateFunction · 0.80
groupPermissionsFunction · 0.80
checkAuthorizationFunction · 0.80
loginFnFunction · 0.80
permittedOrganizationsFunction · 0.80
organizationsPermissionsFunction · 0.80

Calls 15

RBACObjectMethod · 0.95
UserAuthorizationFunction · 0.92
ReadFunction · 0.92
APIKeyFunction · 0.92
WriteFunction · 0.92
ActionTypeAlias · 0.92
SafeRoleNamesMethod · 0.80
SafeScopeNameMethod · 0.80
ContextMethod · 0.65
ParseMethod · 0.65
GetWorkspaceByIDMethod · 0.65
GetTemplateByIDMethod · 0.65

Tested by

no test coverage detected