(ctx context.Context, arg database.InsertAPIKeyParams)
| 5436 | } |
| 5437 | |
| 5438 | func (q *querier) InsertAPIKey(ctx context.Context, arg database.InsertAPIKeyParams) (database.APIKey, error) { |
| 5439 | // TODO(Cian): ideally this would be encoded in the policy, but system users are just members and we |
| 5440 | // don't currently have a capability to conditionally deny creating resources by owner ID in a role. |
| 5441 | // We also need to enrich rbac.Actor with IsSystem so that we can distinguish all system users. |
| 5442 | // For now, there is only one system user (prebuilds). |
| 5443 | if act, ok := ActorFromContext(ctx); ok && act.ID == database.PrebuildsSystemUserID.String() { |
| 5444 | return database.APIKey{}, logNotAuthorizedError(ctx, q.log, NotAuthorizedError{Err: xerrors.Errorf("prebuild user may not create api keys")}) |
| 5445 | } |
| 5446 | |
| 5447 | return insert(q.log, q.auth, |
| 5448 | rbac.ResourceApiKey.WithOwner(arg.UserID.String()), |
| 5449 | q.db.InsertAPIKey)(ctx, arg) |
| 5450 | } |
| 5451 | |
| 5452 | func (q *querier) InsertAllUsersGroup(ctx context.Context, organizationID uuid.UUID) (database.Group, error) { |
| 5453 | // This method creates a new group. |
nothing calls this directly
no test coverage detected