auth on test notification endpoint

johnstcn · johnstcn · commit bde71ca6d969 · 2025-03-26T15:18:34.000Z
diff --git a/coderd/notifications.go b/coderd/notifications.go
@@ -428,6 +428,12 @@ func (api *API) postUserPushNotificationTest(rw http.ResponseWriter, r *http.Req
 		return
 	}
 
+	// We need to authorize the user to send a push notification to themselves.
+	if !api.Authorize(r, policy.ActionCreate, rbac.ResourceNotificationMessage.WithOwner(user.ID.String())) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
 	if err := api.WebpushDispatcher.Dispatch(ctx, user.ID, codersdk.WebpushMessage{
 		Title: "It's working!",
 		Body:  "You've subscribed to push notifications.",
