fix(coderd): add stricter authorization for provisioners endpoint

mafredri · mafredri · commit 27c6919ebc8d · 2025-02-17T09:59:50.000Z
References #16558
diff --git a/coderd/provisionerdaemons.go b/coderd/provisionerdaemons.go
@@ -9,6 +9,8 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/provisionerdserver"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
 )
@@ -31,6 +33,13 @@ func (api *API) provisionerDaemons(rw http.ResponseWriter, r *http.Request) {
 		org = httpmw.OrganizationParam(r)
 	)
 
+	// This endpoint returns information about provisioner jobs.
+	// For now, only owners and template admins can access provisioner jobs.
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
 	qp := r.URL.Query()
 	p := httpapi.NewQueryParamParser()
 	limit := p.PositiveInt32(qp, 50, "limit")
diff --git a/coderd/provisionerdaemons_test.go b/coderd/provisionerdaemons_test.go
@@ -241,11 +241,14 @@ func TestProvisionerDaemons(t *testing.T) {
 		require.Nil(t, daemons[0].PreviousJob)
 	})
 
-	t.Run("MemberAllowed", func(t *testing.T) {
+	// For now, this is not allowed even though the member has created a
+	// workspace. Once member-level permissions for jobs are supported
+	// by RBAC, this test should be updated.
+	t.Run("MemberDenied", func(t *testing.T) {
 		t.Parallel()
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		daemons, err := memberClient.OrganizationProvisionerDaemons(ctx, owner.OrganizationID, nil)
-		require.NoError(t, err)
-		require.Len(t, daemons, 50)
+		require.Error(t, err)
+		require.Len(t, daemons, 0)
 	})
 }
