coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 2 additions & 2 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/database/migrations/000233_notification_preferences.down.sql renamed to ‎coderd/database/migrations/000234_notification_preferences.down.sql b/‎coderd/database/migrations/000233_notification_preferences.down.sql renamed to ‎coderd/database/migrations/000234_notification_preferences.down.sql
diff --git a/‎coderd/database/migrations/000233_notification_preferences.up.sql renamed to ‎coderd/database/migrations/000234_notification_preferences.up.sql b/‎coderd/database/migrations/000233_notification_preferences.up.sql renamed to ‎coderd/database/migrations/000234_notification_preferences.up.sql
diff --git a/‎coderd/rbac/object_gen.go
Lines changed: 2 additions & 2 deletions b/‎coderd/rbac/object_gen.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/rbac/policy/policy.go
Lines changed: 2 additions & 2 deletions b/‎coderd/rbac/policy/policy.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/rbac/roles_test.go
Lines changed: 68 additions & 0 deletions b/‎coderd/rbac/roles_test.go
Lines changed: 68 additions & 0 deletions
diff --git a/‎codersdk/rbacresources_gen.go
Lines changed: 1 addition & 1 deletion b/‎codersdk/rbacresources_gen.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎site/src/api/rbacresources_gen.ts
Lines changed: 2 additions & 2 deletions b/‎site/src/api/rbacresources_gen.ts
Lines changed: 2 additions & 2 deletions
@@ -2111,7 +2111,7 @@ func (q *querier) GetUserLinksByUserID(ctx context.Context, userID uuid.UUID) ([
 }
 
 func (q *querier) GetUserNotificationPreferences(ctx context.Context, userID uuid.UUID) ([]database.NotificationPreference, error) {
-	if err := q.authorizeContext(ctx, policy.ActionReadPersonal, rbac.ResourceUserObject(userID)); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceNotificationPreference.WithOwner(userID.String())); err != nil {
 		return nil, err
 	}
 	return q.db.GetUserNotificationPreferences(ctx, userID)
@@ -3350,7 +3350,7 @@ func (q *querier) UpdateUserLoginType(ctx context.Context, arg database.UpdateUs
 }
 
 func (q *querier) UpdateUserNotificationPreferences(ctx context.Context, arg database.UpdateUserNotificationPreferencesParams) (int64, error) {
-	if err := q.authorizeContext(ctx, policy.ActionUpdatePersonal, rbac.ResourceUserObject(arg.UserID)); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceNotificationPreference.WithOwner(arg.UserID.String())); err != nil {
 		return -1, err
 	}
 	return q.db.UpdateUserNotificationPreferences(ctx, arg)
 
@@ -263,8 +263,8 @@ var RBACPermissions = map[string]PermissionDefinition{
 	},
 	"notification_preference": {
 		Actions: map[Action]ActionDefinition{
-			ActionReadPersonal:   actDef("read own notification preferences"),
-			ActionUpdatePersonal: actDef("update own notification preferences"),
+			ActionRead:   actDef("read own notification preferences"),
+			ActionUpdate: actDef("update own notification preferences"),
 		},
 	},
 }
@@ -590,6 +590,34 @@ func TestRolePermissions(t *testing.T) {
 				false: {},
 			},
 		},
+		{
+			Name:     "NotificationPreferencesOwn",
+			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate},
+			Resource: rbac.ResourceNotificationPreference.WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {memberMe, orgMemberMe, owner},
+				false: {
+					userAdmin, orgUserAdmin, templateAdmin,
+					orgAuditor, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
+					orgAdmin, otherOrgAdmin,
+				},
+			},
+		},
+		{
+			Name:     "NotificationTemplates",
+			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate},
+			Resource: rbac.ResourceNotificationTemplate,
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {owner},
+				false: {
+					memberMe, orgMemberMe, userAdmin, orgUserAdmin, templateAdmin,
+					orgAuditor, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
+					orgAdmin, otherOrgAdmin,
+				},
+			},
+		},
 		// AnyOrganization tests
 		{
 			Name:     "CreateOrgMember",
@@ -630,6 +658,46 @@ func TestRolePermissions(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "NotificationPreferencesAnyOrg",
+			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate},
+			Resource: rbac.ResourceNotificationPreference.AnyOrganization().WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {orgMemberMe, orgAdmin, otherOrgAdmin, owner},
+				false: {
+					memberMe, templateAdmin, otherOrgUserAdmin, userAdmin, orgUserAdmin,
+					orgAuditor, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgTemplateAdmin,
+				},
+			},
+		},
+		{
+			Name:     "NotificationPreferencesOtherUser",
+			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate},
+			Resource: rbac.ResourceNotificationPreference.InOrg(orgID).WithOwner(uuid.NewString()), // some other user
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {orgAdmin, owner},
+				false: {
+					memberMe, templateAdmin, orgUserAdmin, userAdmin,
+					orgAuditor, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
+					otherOrgAdmin, orgMemberMe,
+				},
+			},
+		},
+		{
+			Name:     "NotificationTemplateAnyOrg",
+			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate},
+			Resource: rbac.ResourceNotificationPreference.AnyOrganization(),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {orgAdmin, otherOrgAdmin, owner},
+				false: {
+					orgMemberMe, memberMe, templateAdmin, orgUserAdmin, userAdmin,
+					orgAuditor, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
+				},
+			},
+		},
 	}
 
 	// We expect every permission to be tested above.
 
@@ -56,8 +56,8 @@ export const RBACResourceActions: Partial<
     read: "read licenses",
   },
   notification_preference: {
-    read_personal: "read own notification preferences",
-    update_personal: "update own notification preferences",
+    read: "read own notification preferences",
+    update: "update own notification preferences",
   },
   notification_template: {
     read: "read notification templates",
Original file line number	Diff line number	Diff line change
`@@ -2111,7 +2111,7 @@ func (q *querier) GetUserLinksByUserID(ctx context.Context, userID uuid.UUID) ([`
`2111`	`2111`	`}`
`2112`	`2112`
`2113`	`2113`	`func (q *querier) GetUserNotificationPreferences(ctx context.Context, userID uuid.UUID) ([]database.NotificationPreference, error) {`
`2114`		`- if err := q.authorizeContext(ctx, policy.ActionReadPersonal, rbac.ResourceUserObject(userID)); err != nil {`
	`2114`	`+ if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceNotificationPreference.WithOwner(userID.String())); err != nil {`
`2115`	`2115`	`return nil, err`
`2116`	`2116`	`}`
`2117`	`2117`	`return q.db.GetUserNotificationPreferences(ctx, userID)`
`@@ -3350,7 +3350,7 @@ func (q *querier) UpdateUserLoginType(ctx context.Context, arg database.UpdateUs`
`3350`	`3350`	`}`
`3351`	`3351`
`3352`	`3352`	`func (q *querier) UpdateUserNotificationPreferences(ctx context.Context, arg database.UpdateUserNotificationPreferencesParams) (int64, error) {`
`3353`		`- if err := q.authorizeContext(ctx, policy.ActionUpdatePersonal, rbac.ResourceUserObject(arg.UserID)); err != nil {`
	`3353`	`+ if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceNotificationPreference.WithOwner(arg.UserID.String())); err != nil {`
`3354`	`3354`	`return -1, err`
`3355`	`3355`	`}`
`3356`	`3356`	`return q.db.UpdateUserNotificationPreferences(ctx, arg)`