Skip to content

Commit 4ee53e2

Browse files
SasSwartSasSwart
committed
prevent creation and modification of system users
1 parent 3bbe40e commit 4ee53e2

File tree

4 files changed

+47
-0
lines changed

4 files changed

+47
-0
lines changed

coderd/database/dump.sql

Lines changed: 15 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/migrations/000302_prebuilds.down.sql

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,11 @@ DROP VIEW IF EXISTS workspace_prebuild_builds;
33
DROP VIEW IF EXISTS workspace_prebuilds;
44
DROP VIEW IF EXISTS workspace_latest_build;
55

6+
-- Undo the restriction on deleting system users
7+
DROP TRIGGER IF EXISTS prevent_system_user_updates ON users;
8+
DROP TRIGGER IF EXISTS prevent_system_user_deletions ON users;
9+
DROP FUNCTION IF EXISTS prevent_system_user_changes();
10+
611
-- Revert user operations
712
-- c42fdf75-3097-471c-8c33-fb52454d81c0 is the identifier for the system user responsible for prebuilds.
813
DELETE FROM user_status_changes WHERE user_id = 'c42fdf75-3097-471c-8c33-fb52454d81c0';

coderd/database/migrations/000302_prebuilds.up.sql

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,32 @@ INSERT INTO users (id, email, username, name, created_at, updated_at, status, rb
33
VALUES ('c42fdf75-3097-471c-8c33-fb52454d81c0', 'prebuilds@system', 'prebuilds', 'Prebuilds Owner', now(), now(),
44
'active', '{}', 'none', true);
55

6+
-- Create function to check system user modifications
7+
CREATE OR REPLACE FUNCTION prevent_system_user_changes()
8+
RETURNS TRIGGER AS
9+
$$
10+
BEGIN
11+
IF OLD.is_system = true THEN
12+
RAISE EXCEPTION 'Cannot modify or delete system users';
13+
END IF;
14+
RETURN OLD;
15+
END;
16+
$$ LANGUAGE plpgsql;
17+
18+
-- Create trigger to prevent updates to system users
19+
CREATE TRIGGER prevent_system_user_updates
20+
BEFORE UPDATE ON users
21+
FOR EACH ROW
22+
WHEN (OLD.is_system = true)
23+
EXECUTE FUNCTION prevent_system_user_changes();
24+
25+
-- Create trigger to prevent deletion of system users
26+
CREATE TRIGGER prevent_system_user_deletions
27+
BEFORE DELETE ON users
28+
FOR EACH ROW
29+
WHEN (OLD.is_system = true)
30+
EXECUTE FUNCTION prevent_system_user_changes();
31+
632
-- TODO: do we *want* to use the default org here? how do we handle multi-org?
733
WITH default_org AS (SELECT id
834
FROM organizations

enterprise/coderd/groups_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -823,6 +823,7 @@ func TestGroup(t *testing.T) {
823823

824824
t.Run("everyoneGroupReturnsEmpty", func(t *testing.T) {
825825
// TODO (sasswart): this test seems to have drifted from its original intention. evaluate and remove/fix
826+
// "everyone group returns empty", but it returns 5 members?
826827
t.Parallel()
827828

828829
// TODO: we should not be returning the prebuilds user in Group, and this is not returned in dbmem.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy