chore: attempt to nudge agents away from dbauthz.AsSystemRestricted (coder#23326)

johnstcn · Copilot · web-flow · commit c8e58575e0ee · 2026-03-20T14:18:18.000+02:00
Adds a warning comment to dbauthz.AsSystemRestricted to hopefully nudge agents away from it.

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -769,6 +769,9 @@ func AsSubAgentAPI(ctx context.Context, orgID uuid.UUID, userID uuid.UUID) conte
 
 // AsSystemRestricted returns a context with an actor that has permissions
 // required for various system operations (login, logout, metrics cache).
+// DO NOT USE THIS UNLESS YOU HAVE ABSOLUTELY NO OTHER CHOICE. Prefer using a
+// more specific As* helper above (or adding a new, narrowly-scoped one) so
+// that permissions remain limited to the operation you need.
 func AsSystemRestricted(ctx context.Context) context.Context {
 	return As(ctx, subjectSystemRestricted)
 }

Original file line number	Diff line number	Diff line change
`@@ -769,6 +769,9 @@ func AsSubAgentAPI(ctx context.Context, orgID uuid.UUID, userID uuid.UUID) conte`
`769`	`769`
`770`	`770`	`// AsSystemRestricted returns a context with an actor that has permissions`
`771`	`771`	`// required for various system operations (login, logout, metrics cache).`
	`772`	`+// DO NOT USE THIS UNLESS YOU HAVE ABSOLUTELY NO OTHER CHOICE. Prefer using a`
	`773`	`+// more specific As* helper above (or adding a new, narrowly-scoped one) so`
	`774`	`+// that permissions remain limited to the operation you need.`
`772`	`775`	`func AsSystemRestricted(ctx context.Context) context.Context {`
`773`	`776`	`return As(ctx, subjectSystemRestricted)`
`774`	`777`	`}`