From a29844120ba7e3fb4ba8abe73b2fb5ea708ac495 Mon Sep 17 00:00:00 2001
From: Zach Wasserman <zach@fleetdm.com>
Date: Mon, 9 Aug 2021 19:30:17 -0700
Subject: [PATCH] Fix live query for observers (#1603)

Set observer can run when performing authz check for live query results.

Final backend fix for #1515
---
 server/service/service_campaigns.go |  5 ++++-
 server/service/service_status.go    | 13 +++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/server/service/service_campaigns.go b/server/service/service_campaigns.go
index 94ef5b8570..a41b67eaa1 100644
--- a/server/service/service_campaigns.go
+++ b/server/service/service_campaigns.go
@@ -185,7 +185,10 @@ type campaignStatus struct {
 func (svc Service) StreamCampaignResults(ctx context.Context, conn *websocket.Conn, campaignID uint) {
 	logging.WithExtras(ctx, "campaign_id", campaignID)
 
-	if err := svc.authz.Authorize(ctx, &fleet.Query{}, fleet.ActionRun); err != nil {
+	// Explicitly set ObserverCanRun: true in this check because we check that the user trying to
+	// read results is the same user that initiated the query. This means the observer check already
+	// happened with the actual value for this query.
+	if err := svc.authz.Authorize(ctx, &fleet.Query{ObserverCanRun: true}, fleet.ActionRun); err != nil {
 		level.Info(svc.logger).Log("err", "stream results authorization failed")
 		conn.WriteJSONError(authz.ForbiddenErrorMessage)
 		return
diff --git a/server/service/service_status.go b/server/service/service_status.go
index 49f8a42fe7..bedb317c9b 100644
--- a/server/service/service_status.go
+++ b/server/service/service_status.go
@@ -3,17 +3,26 @@ package service
 import (
 	"context"
 
+	"github.com/fleetdm/fleet/v4/server/fleet"
 	"github.com/pkg/errors"
 )
 
 func (svc *Service) StatusResultStore(ctx context.Context) error {
+	if err := svc.authz.Authorize(ctx, &fleet.AppConfig{}, fleet.ActionRead); err != nil {
+		return err
+	}
+
 	return svc.resultStore.HealthCheck()
 }
 
 func (svc *Service) StatusLiveQuery(ctx context.Context) error {
-	cfg, err := svc.AppConfig(ctx)
+	if err := svc.authz.Authorize(ctx, &fleet.AppConfig{}, fleet.ActionRead); err != nil {
+		return err
+	}
+
+	cfg, err := svc.ds.AppConfig()
 	if err != nil {
-		return errors.Wrap(err, "retreiving app config")
+		return errors.Wrap(err, "retrieve app config")
 	}
 
 	if cfg.LiveQueryDisabled {