From 6f99100fd1d4634f9e500675687db8a680fb5443 Mon Sep 17 00:00:00 2001
From: Brett Kolodny <brett.kolodny@coder.com>
Date: Wed, 19 Feb 2025 21:50:30 +0000
Subject: [PATCH 1/2] feat: add audit_log read permission check to audit route

---
 coderd/coderd.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/coderd/coderd.go b/coderd/coderd.go
index 93aeb02adb6e3..65b943cd3ae26 100644
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@@ -930,6 +930,25 @@ func New(options *Options) *API {
 		r.Route("/audit", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
+				// This middleware only checks the site and orgs for the audit_log read
+				// permission.
+				// In the future if it makes sense to have this permission on the user as
+				// well we will need to update this middleware to include that check.
+				func(next http.Handler) http.Handler {
+					return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+						if api.Authorize(r, policy.ActionRead, rbac.ResourceAuditLog) {
+							next.ServeHTTP(rw, r)
+							return
+						}
+
+						if api.Authorize(r, policy.ActionRead, rbac.ResourceAuditLog.AnyOrganization()) {
+							next.ServeHTTP(rw, r)
+							return
+						}
+
+						httpapi.Forbidden(rw)
+					})
+				},
 			)
 
 			r.Get("/", api.auditLogs)

From 6f0a06bc58fe0de41f5794418a6ad7bce0e2d3db Mon Sep 17 00:00:00 2001
From: Brett Kolodny <brett.kolodny@coder.com>
Date: Wed, 19 Feb 2025 21:59:17 +0000
Subject: [PATCH 2/2] fix: show an error alert if the audit query has an error

---
 site/src/pages/AuditPage/AuditPage.tsx | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/site/src/pages/AuditPage/AuditPage.tsx b/site/src/pages/AuditPage/AuditPage.tsx
index 68f566b4bf054..efcf2068f19ad 100644
--- a/site/src/pages/AuditPage/AuditPage.tsx
+++ b/site/src/pages/AuditPage/AuditPage.tsx
@@ -1,4 +1,5 @@
 import { paginatedAudits } from "api/queries/audits";
+import { ErrorAlert } from "components/Alert/ErrorAlert";
 import { useFilter } from "components/Filter/Filter";
 import { useUserFilterMenu } from "components/Filter/UserFilter";
 import { isNonInitialPage } from "components/PaginationWidget/utils";
@@ -67,6 +68,14 @@ const AuditPage: FC = () => {
 			}),
 	});
 
+	if (auditsQuery.error) {
+		return (
+			<div className="p-6">
+				<ErrorAlert error={auditsQuery.error} />
+			</div>
+		);
+	}
+
 	return (
 		<>
 			<Helmet>

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16637.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16637.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16637.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16637.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>