Skip to content

Commit 5bd1280

Browse files
EmyrkEmyrk
committed
add safety check
1 parent f7d22ea commit 5bd1280

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2851,6 +2851,13 @@ func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemb
28512851
// Convert the argument roles for validation.
28522852
scopedGranted := make([]string, 0, len(arg.GrantedRoles))
28532853
for _, grantedRole := range arg.GrantedRoles {
2854+
// This check is a developer safety check. Old code might try to invoke this code path with
2855+
// organization id suffixes. Catch this and return a nice error so it can be fixed.
2856+
_, foundOrg, _ := rbac.RoleSplit(grantedRole)
2857+
if foundOrg != "" {
2858+
return database.OrganizationMember{}, xerrors.Errorf("attempt to assign a role %q, remove the ':<organization_id> suffix", grantedRole)
2859+
}
2860+
28542861
scopedGranted = append(scopedGranted, rbac.RoleName(grantedRole, arg.OrgID.String()))
28552862
}
28562863

0 commit comments

Comments
 (0)