authorizeReadFile is a hotfix for the fact that file permissions are independent of template permissions. This function checks if the user has update access to any of the file's templates.
(ctx context.Context, file database.File)
| 1167 | // independent of template permissions. This function checks if the user has |
| 1168 | // update access to any of the file's templates. |
| 1169 | func (q *querier) authorizeUpdateFileTemplate(ctx context.Context, file database.File) error { |
| 1170 | tpls, err := q.db.GetFileTemplates(ctx, file.ID) |
| 1171 | if err != nil { |
| 1172 | return err |
| 1173 | } |
| 1174 | // There __should__ only be 1 template per file, but there can be more than |
| 1175 | // 1, so check them all. |
| 1176 | for _, tpl := range tpls { |
| 1177 | // If the user has update access to any template, they have read access to the file. |
| 1178 | if err := q.authorizeContext(ctx, policy.ActionUpdate, tpl); err == nil { |
| 1179 | return nil |
| 1180 | } |
| 1181 | } |
| 1182 | |
| 1183 | return NotAuthorizedError{ |
| 1184 | Err: xerrors.Errorf("not authorized to read file %s", file.ID), |
| 1185 | } |
| 1186 | } |
| 1187 | |
| 1188 | // convertToOrganizationRoles converts a set of scoped role names to their unique |
| 1189 | // scoped names. The database stores roles as an array of strings, and needs to be |
no test coverage detected