chore: use system context for fetching template information (coder#15205)

Emyrk · web-flow · commit 163631e79c7d · 2024-10-23T17:03:17.000-05:00
The authz check is Update() on the original template. This is not ideal,
but it follows the existing behavior. We are implicitly granting this
read access since template admins need to be able to see what
users/groups exist to assign.
diff --git a/enterprise/coderd/templates.go b/enterprise/coderd/templates.go
@@ -66,7 +66,9 @@ func (api *API) templateAvailablePermissions(rw http.ResponseWriter, r *http.Req
 			httpapi.InternalServerError(rw, err)
 			return
 		}
-		memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, group.Group.ID)
+
+		// nolint:gocritic
+		memberCount, err := api.Database.GetGroupMembersCountByGroupID(dbauthz.AsSystemRestricted(ctx), group.Group.ID)
 		if err != nil {
 			httpapi.InternalServerError(rw, err)
 			return
diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go
@@ -1494,6 +1494,10 @@ func TestUpdateTemplateACL(t *testing.T) {
 			},
 		}
 
+		// Group adds complexity to the /available endpoint
+		// Intentionally omit user2
+		coderdtest.CreateGroup(t, client, user.OrganizationID, "some-group", user3)
+
 		ctx := testutil.Context(t, testutil.WaitLong)
 
 		err := client1.UpdateTemplateACL(ctx, template.ID, req)

Original file line number	Diff line number	Diff line change
`@@ -1494,6 +1494,10 @@ func TestUpdateTemplateACL(t *testing.T) {`
`1494`	`1494`	`},`
`1495`	`1495`	`}`
`1496`	`1496`
	`1497`	`+ // Group adds complexity to the /available endpoint`
	`1498`	`+ // Intentionally omit user2`
	`1499`	`+ coderdtest.CreateGroup(t, client, user.OrganizationID, "some-group", user3)`
	`1500`	`+`
`1497`	`1501`	`ctx := testutil.Context(t, testutil.WaitLong)`
`1498`	`1502`
`1499`	`1503`	`err := client1.UpdateTemplateACL(ctx, template.ID, req)`