(ctx context.Context, templateIDs []uuid.UUID)
| 1376 | } |
| 1377 | |
| 1378 | func (q *querier) authorizeTemplateInsights(ctx context.Context, templateIDs []uuid.UUID) error { |
| 1379 | // Abort early if can read all template insights, aka admins. |
| 1380 | // TODO: If we know the org, that would allow org admins to abort early too. |
| 1381 | if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil { |
| 1382 | for _, templateID := range templateIDs { |
| 1383 | template, err := q.db.GetTemplateByID(ctx, templateID) |
| 1384 | if err != nil { |
| 1385 | return err |
| 1386 | } |
| 1387 | |
| 1388 | if err := q.authorizeContext(ctx, policy.ActionViewInsights, template); err != nil { |
| 1389 | return err |
| 1390 | } |
| 1391 | } |
| 1392 | if len(templateIDs) == 0 { |
| 1393 | if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate.All()); err != nil { |
| 1394 | return err |
| 1395 | } |
| 1396 | } |
| 1397 | } |
| 1398 | return nil |
| 1399 | } |
| 1400 | |
| 1401 | // customRoleEscalationCheck checks to make sure the caller has every permission they are adding |
| 1402 | // to a custom role. This prevents permission escalation. |
no test coverage detected