refactor(coderd/dbauthz): use authorizeContext for system check

Callum Styan · Callum Styan · commit 915b2b039446 · 2025-12-16T18:34:51.000Z
Replace direct actor type checking with authorizeContext pattern
for consistency with other dbauthz wrappers. This checks for
ActionRead on ResourceSystem, which will only succeed for
system-restricted contexts.
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -3930,10 +3930,11 @@ func (q *querier) GetWorkspaceResourceByID(ctx context.Context, id uuid.UUID) (d
 // we can bypass the authorization cascade that would normally call
 // GetWorkspaceBuildByJobID.
 func (q *querier) GetWorkspaceResourceWithJobByID(ctx context.Context, id uuid.UUID) (database.GetWorkspaceResourceWithJobByIDRow, error) {
-	// Check if this is a system-restricted context.
-	actor, ok := ActorFromContext(ctx)
-	if !ok || actor.Type != rbac.SubjectTypeSystemRestricted {
-		return database.GetWorkspaceResourceWithJobByIDRow{}, xerrors.New("GetWorkspaceResourceWithJobByID requires system-restricted context")
+	// Authorize for system resource access. This will only succeed for
+	// system-restricted contexts, ensuring this optimized path is only used
+	// in appropriate scenarios.
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
+		return database.GetWorkspaceResourceWithJobByIDRow{}, err
 	}
 
 	// With system-restricted context, we can safely bypass the authorization
