coder
diff --git a/‎coderd/database/databasefake/databasefake.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/databasefake/databasefake.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000050_template_acl.down.sql
Lines changed: 1 addition & 0 deletions b/‎coderd/database/migrations/000050_template_acl.down.sql
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/migrations/000050_template_acl.up.sql
Lines changed: 1 addition & 0 deletions b/‎coderd/database/migrations/000050_template_acl.up.sql
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 7 additions & 3 deletions b/‎coderd/database/modelmethods.go
Lines changed: 7 additions & 3 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/models.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 19 additions & 10 deletions b/‎coderd/database/queries.sql.go
Lines changed: 19 additions & 10 deletions
diff --git a/‎coderd/database/queries/templates.sql
Lines changed: 5 additions & 3 deletions b/‎coderd/database/queries/templates.sql
Lines changed: 5 additions & 3 deletions
diff --git a/‎coderd/rbac/builtin.go
Lines changed: 12 additions & 1 deletion b/‎coderd/rbac/builtin.go
Lines changed: 12 additions & 1 deletion
diff --git a/‎coderd/rbac/object.go
Lines changed: 4 additions & 0 deletions b/‎coderd/rbac/object.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/templates.go
Lines changed: 11 additions & 5 deletions b/‎coderd/templates.go
Lines changed: 11 additions & 5 deletions
@@ -970,6 +970,7 @@ func (q *fakeQuerier) UpdateTemplateMetaByID(_ context.Context, arg database.Upd
 		tpl.Icon = arg.Icon
 		tpl.MaxTtl = arg.MaxTtl
 		tpl.MinAutostartInterval = arg.MinAutostartInterval
+		tpl.IsPrivate = arg.IsPrivate
 		q.templates[idx] = tpl
 		return tpl, nil
 	}
@@ -1670,6 +1671,7 @@ func (q *fakeQuerier) InsertTemplate(_ context.Context, arg database.InsertTempl
 		MaxTtl:               arg.MaxTtl,
 		MinAutostartInterval: arg.MinAutostartInterval,
 		CreatedBy:            arg.CreatedBy,
+		IsPrivate:            arg.IsPrivate,
 	}
 	template = template.SetUserACL(database.UserACL{})
 	q.templates = append(q.templates, template)
 
@@ -1,6 +1,7 @@
 BEGIN;
 
 ALTER TABLE templates DROP COLUMN user_acl;
+ALTER TABLE templates DROP COLUMN is_private;
 DROP TYPE template_role;
 
 COMMIT;
@@ -1,6 +1,7 @@
 BEGIN;
 
 ALTER TABLE templates ADD COLUMN user_acl jsonb NOT NULL default '{}';
+ALTER TABLE templates ADD COLUMN is_private boolean NOT NULL default 'false';
 
 CREATE TYPE template_role AS ENUM (
 	'read',
 
@@ -57,12 +57,16 @@ func templateRoleToActions(t TemplateRole) []rbac.Action {
 }
 
 func (t Template) RBACObject() rbac.Object {
-	return rbac.ResourceTemplate.InOrg(t.OrganizationID).WithACLUserList(t.UserACL().Actions())
+	obj := rbac.ResourceTemplate
+	if t.IsPrivate {
+		obj = rbac.ResourceTemplatePrivate
+	}
+	return obj.InOrg(t.OrganizationID).WithACLUserList(t.UserACL().Actions())
 }
 
-func (t TemplateVersion) RBACObject(template Template) rbac.Object {
+func (TemplateVersion) RBACObject(template Template) rbac.Object {
 	// Just use the parent template resource for controlling versions
-	return rbac.ResourceTemplate.InOrg(t.OrganizationID).WithACLUserList(template.UserACL().Actions())
+	return template.RBACObject()
 }
 
 func (w Workspace) RBACObject() rbac.Object {
 
@@ -68,10 +68,11 @@ INSERT INTO
 		max_ttl,
 		min_autostart_interval,
 		created_by,
-		icon
+		icon,
+		is_private
 	)
 VALUES
-	($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12) RETURNING *;
+	($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13) RETURNING *;
 
 -- name: UpdateTemplateActiveVersionByID :exec
 UPDATE
@@ -100,7 +101,8 @@ SET
 	max_ttl = $4,
 	min_autostart_interval = $5,
 	name = $6,
-	icon = $7
+	icon = $7,
+	is_private = $8
 WHERE
 	id = $1
 RETURNING
 
@@ -108,7 +108,8 @@ var (
 				Name:        templateAdmin,
 				DisplayName: "Template Admin",
 				Site: permissions(map[string][]Action{
-					ResourceTemplate.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceTemplate.Type:        {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceTemplatePrivate.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 					// CRUD all files, even those they did not upload.
 					ResourceFile.Type:      {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 					ResourceWorkspace.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
@@ -167,11 +168,21 @@ var (
 							ResourceType: ResourceOrganization.Type,
 							Action:       ActionRead,
 						},
+						{
+							// All org members can read templates in the org
+							ResourceType: ResourceTemplate.Type,
+							Action:       ActionRead,
+						},
 						{
 							// Can read available roles.
 							ResourceType: ResourceOrgRoleAssignment.Type,
 							Action:       ActionRead,
 						},
+						{
+							// Can read public templates.
+							ResourceType: ResourceTemplate.Type,
+							Action:       ActionRead,
+						},
 					},
 				},
 			}
 
@@ -45,6 +45,10 @@ var (
 		Type: "template",
 	}
 
+	ResourceTemplatePrivate = Object{
+		Type: "template_private",
+	}
+
 	ResourceFile = Object{
 		Type: "file",
 	}
 
@@ -257,6 +257,7 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque
 			MaxTtl:               int64(maxTTL),
 			MinAutostartInterval: int64(minAutostartInterval),
 			CreatedBy:            apiKey.UserID,
+			IsPrivate:            createTemplate.IsPrivate,
 		})
 		if err != nil {
 			return xerrors.Errorf("insert template: %s", err)
@@ -457,10 +458,8 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 
 	// Only users who are able to create templates (aka template admins)
 	// are able to control user permissions.
-	// TODO: It might be cleaner to control template perms access
-	// via a separate RBAC resource, and restrict all actions to the template
-	// admin role.
-	if len(req.UserPerms) > 0 && !api.Authorize(r, rbac.ActionCreate, template) {
+	if (len(req.UserPerms) > 0 || req.IsPrivate != nil) &&
+		!api.Authorize(r, rbac.ActionCreate, template) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
@@ -525,7 +524,8 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			req.Icon == template.Icon &&
 			req.MaxTTLMillis == time.Duration(template.MaxTtl).Milliseconds() &&
 			req.MinAutostartIntervalMillis == time.Duration(template.MinAutostartInterval).Milliseconds() &&
-			len(req.UserPerms) == 0 {
+			len(req.UserPerms) == 0 &&
+			(req.IsPrivate == nil || req.IsPrivate != nil && *req.IsPrivate == template.IsPrivate) {
 			return nil
 		}
 
@@ -535,6 +535,7 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 		icon := req.Icon
 		maxTTL := time.Duration(req.MaxTTLMillis) * time.Millisecond
 		minAutostartInterval := time.Duration(req.MinAutostartIntervalMillis) * time.Millisecond
+		isPrivate := template.IsPrivate
 
 		if name == "" {
 			name = template.Name
@@ -545,6 +546,9 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 		if minAutostartInterval == 0 {
 			minAutostartInterval = time.Duration(template.MinAutostartInterval)
 		}
+		if req.IsPrivate != nil {
+			isPrivate = *req.IsPrivate
+		}
 
 		if len(req.UserPerms) > 0 {
 			userACL := template.UserACL()
@@ -572,6 +576,7 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 			Icon:                 icon,
 			MaxTtl:               int64(maxTTL),
 			MinAutostartInterval: int64(minAutostartInterval),
+			IsPrivate:            isPrivate,
 		})
 		if err != nil {
 			return err
@@ -819,6 +824,7 @@ func (api *API) convertTemplate(
 		CreatedByID:                template.CreatedBy,
 		CreatedByName:              createdByName,
 		UserRoles:                  convertTemplateACL(template.UserACL()),
+		IsPrivate:                  template.IsPrivate,
 	}
 }
Original file line number	Diff line number	Diff line change
`@@ -57,12 +57,16 @@ func templateRoleToActions(t TemplateRole) []rbac.Action {`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`func (t Template) RBACObject() rbac.Object {`
`60`		`- return rbac.ResourceTemplate.InOrg(t.OrganizationID).WithACLUserList(t.UserACL().Actions())`
	`60`	`+ obj := rbac.ResourceTemplate`
	`61`	`+ if t.IsPrivate {`
	`62`	`+ obj = rbac.ResourceTemplatePrivate`
	`63`	`+ }`
	`64`	`+ return obj.InOrg(t.OrganizationID).WithACLUserList(t.UserACL().Actions())`
`61`	`65`	`}`
`62`	`66`
`63`		`-func (t TemplateVersion) RBACObject(template Template) rbac.Object {`
	`67`	`+func (TemplateVersion) RBACObject(template Template) rbac.Object {`
`64`	`68`	`// Just use the parent template resource for controlling versions`
`65`		`- return rbac.ResourceTemplate.InOrg(t.OrganizationID).WithACLUserList(template.UserACL().Actions())`
	`69`	`+ return template.RBACObject()`
`66`	`70`	`}`
`67`	`71`
`68`	`72`	`func (w Workspace) RBACObject() rbac.Object {`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,10 @@ var (`
`45`	`45`	`Type: "template",`
`46`	`46`	`}`
`47`	`47`
	`48`	`+ ResourceTemplatePrivate = Object{`
	`49`	`+ Type: "template_private",`
	`50`	`+ }`
	`51`	`+`
`48`	`52`	`ResourceFile = Object{`
`49`	`53`	`Type: "file",`
`50`	`54`	`}`