MCPcopy Index your code
hub / github.com/coder/coder / customRoleEscalationCheck

Method customRoleEscalationCheck

coderd/database/dbauthz/dbauthz.go:1403–1424  ·  view source on GitHub ↗

customRoleEscalationCheck checks to make sure the caller has every permission they are adding to a custom role. This prevents permission escalation.

(ctx context.Context, actor rbac.Subject, perm rbac.Permission, object rbac.Object)

Source from the content-addressed store, hash-verified

1401// customRoleEscalationCheck checks to make sure the caller has every permission they are adding
1402// to a custom role. This prevents permission escalation.
1403func (q *querier) customRoleEscalationCheck(ctx context.Context, actor rbac.Subject, perm rbac.Permission, object rbac.Object) error {
1404 if perm.Negate {
1405 // Users do not need negative permissions. We can include it later if required.
1406 return xerrors.Errorf("invalid permission for action=%q type=%q, no negative permissions", perm.Action, perm.ResourceType)
1407 }
1408
1409 if perm.Action == policy.WildcardSymbol || perm.ResourceType == policy.WildcardSymbol {
1410 // It is possible to check for supersets with wildcards, but wildcards can also
1411 // include resources and actions that do not exist today. Custom roles should only be allowed
1412 // to include permissions for existing resources.
1413 return xerrors.Errorf("invalid permission for action=%q type=%q, no wildcard symbols", perm.Action, perm.ResourceType)
1414 }
1415
1416 object.Type = perm.ResourceType
1417 if err := q.auth.Authorize(ctx, actor, perm.Action, object); err != nil {
1418 // This is a forbidden error, but we can provide more context. Since the user can create a role, just not
1419 // with this perm.
1420 return xerrors.Errorf("invalid permission for action=%q type=%q, not allowed to grant this permission", perm.Action, perm.ResourceType)
1421 }
1422
1423 return nil
1424}
1425
1426// customRoleCheck will validate a custom role for inserting or updating.
1427// If the role is not valid, an error will be returned.

Callers 1

customRoleCheckMethod · 0.95

Calls 2

AuthorizeMethod · 0.65
ErrorfMethod · 0.45

Tested by

no test coverage detected