renderPermissions checks all the site-wide permissions for the given actor and returns an HTML-escaped JSON string suitable for embedding in a meta tag.
(ctx context.Context, actor rbac.Subject)
| 553 | // given actor and returns an HTML-escaped JSON string suitable for |
| 554 | // embedding in a meta tag. |
| 555 | func (h *Handler) renderPermissions(ctx context.Context, actor rbac.Subject) string { |
| 556 | response := make(codersdk.AuthorizationResponse) |
| 557 | for k, v := range permissionChecks { |
| 558 | // Resolve the "me" sentinel so permission checks |
| 559 | // run against the actual actor, matching the |
| 560 | // API-side handling in coderd/authorize.go. |
| 561 | ownerID := v.Object.OwnerID |
| 562 | if ownerID == codersdk.Me { |
| 563 | ownerID = actor.ID |
| 564 | } |
| 565 | obj := rbac.Object{ |
| 566 | ID: v.Object.ResourceID, |
| 567 | Owner: ownerID, |
| 568 | OrgID: v.Object.OrganizationID, |
| 569 | AnyOrgOwner: v.Object.AnyOrgOwner, |
| 570 | Type: string(v.Object.ResourceType), |
| 571 | } |
| 572 | err := h.opts.Authorizer.Authorize(ctx, actor, policy.Action(v.Action), obj) |
| 573 | response[k] = err == nil |
| 574 | } |
| 575 | data, err := json.Marshal(response) |
| 576 | if err != nil { |
| 577 | return "" |
| 578 | } |
| 579 | return html.EscapeString(string(data)) |
| 580 | } |
| 581 | |
| 582 | // noopResponseWriter is a response writer that does nothing. |
| 583 | type noopResponseWriter struct{} |
no test coverage detected