influxdata
fix(http): enforce orgID parameter on list checks endpoint
Updating /api/v2/checks to enforce orgID parameter as per spec:
https://github.com/influxdata/influxdb/blob/master/http/swagger.yml#L5505-L5510
I've had a look around and can't find anywhere that doesn't already consume this API in this way.
Not enforcing this has its own problems. I am cleaning up the check service at the moment and this will make a big difference.
UPDATE:
This PR also includes one subtle change to authorizer.AuthorizerOrg(Read|Write)Resource.
Prior to this change the method took a influxdb.ID for an orgID. Now it takes a pointer to one.
This allows the caller to provider a nil orgID. The meaning of which is documented, but to elaborate, this mean the authorizer requires the caller to have the specific permission to read or write the specified resource type for all organizations. Prior to this change, this method could only enforce for specified orgs. This makes this authorize method suitable to called before delegating to list actions. Allowing us to stop authorizing the result set, rather instead we can now authorize the parameters. If the caller omits an orgID from the filter, they are intrinsically asking for all organizations. This just makes sure they can do that, if they attempt it.
No more will we infer based on permissions what they can see after the action has already taken place. (this is what breaks pagination for all resources). If we move more list actions to use this, then we can fix our pagination issues.
This PR just switch the FindChecks call to authorize in this way.
- [x] CHANGELOG.md updated with a link to the PR (not the Issue)
- [x] Well-formatted commit messages
- [x] Rebased/mergeable
- [x] Tests pass
- [x] http/swagger.yml updated (if modified Go structs or API)
- [x] Documentation updated or issue created (provide link to issue/pr)
- [x] Signed CLA (if not already signed)
