Apply a new authorization check for GetProvisionerJobByIDForUpdate

kacpersaw · kacpersaw · commit 11d8c0ac5787 · 2025-07-06T09:28:00.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -2439,38 +2439,51 @@ func (q *querier) GetProvisionerDaemonsWithStatusByOrganization(ctx context.Cont
 	return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetProvisionerDaemonsWithStatusByOrganization)(ctx, arg)
 }
 
-func (q *querier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
-	job, err := q.db.GetProvisionerJobByID(ctx, id)
-	if err != nil {
-		return database.ProvisionerJob{}, err
-	}
-
+func (q *querier) authorizeProvisionerJob(ctx context.Context, job database.ProvisionerJob) error {
 	switch job.Type {
 	case database.ProvisionerJobTypeWorkspaceBuild:
 		// Authorized call to get workspace build. If we can read the build, we
 		// can read the job.
-		_, err := q.GetWorkspaceBuildByJobID(ctx, id)
+		_, err := q.GetWorkspaceBuildByJobID(ctx, job.ID)
 		if err != nil {
-			return database.ProvisionerJob{}, xerrors.Errorf("fetch related workspace build: %w", err)
+			return xerrors.Errorf("fetch related workspace build: %w", err)
 		}
 	case database.ProvisionerJobTypeTemplateVersionDryRun, database.ProvisionerJobTypeTemplateVersionImport:
 		// Authorized call to get template version.
 		_, err := authorizedTemplateVersionFromJob(ctx, q, job)
 		if err != nil {
-			return database.ProvisionerJob{}, xerrors.Errorf("fetch related template version: %w", err)
+			return xerrors.Errorf("fetch related template version: %w", err)
 		}
 	default:
-		return database.ProvisionerJob{}, xerrors.Errorf("unknown job type: %q", job.Type)
+		return xerrors.Errorf("unknown job type: %q", job.Type)
+	}
+	return nil
+}
+
+func (q *querier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
+	job, err := q.db.GetProvisionerJobByID(ctx, id)
+	if err != nil {
+		return database.ProvisionerJob{}, err
+	}
+
+	if err := q.authorizeProvisionerJob(ctx, job); err != nil {
+		return database.ProvisionerJob{}, err
 	}
 
 	return job, nil
 }
 
 func (q *querier) GetProvisionerJobByIDForUpdate(ctx context.Context, id uuid.UUID) (database.ProvisionerJob, error) {
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
+	job, err := q.db.GetProvisionerJobByIDForUpdate(ctx, id)
+	if err != nil {
+		return database.ProvisionerJob{}, err
+	}
+
+	if err := q.authorizeProvisionerJob(ctx, job); err != nil {
 		return database.ProvisionerJob{}, err
 	}
-	return q.db.GetProvisionerJobByIDForUpdate(ctx, id)
+
+	return job, nil
 }
 
 func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uuid.UUID) ([]database.ProvisionerJobTiming, error) {
diff --git a/codersdk/workspacebuilds.go b/codersdk/workspacebuilds.go
@@ -131,6 +131,7 @@ const (
 )
 
 type CancelWorkspaceBuildParams struct {
+	// ExpectStatus ensures the build is in the expected status before canceling.
 	ExpectStatus CancelWorkspaceBuildStatus `json:"expect_status,omitempty"`
 }
 

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,7 @@ const (`
`131`	`131`	`)`
`132`	`132`
`133`	`133`	`type CancelWorkspaceBuildParams struct {`
	`134`	`+ // ExpectStatus ensures the build is in the expected status before canceling.`
`134`	`135`	ExpectStatus CancelWorkspaceBuildStatus `json:"expect_status,omitempty"`
`135`	`136`	`}`
`136`	`137`