coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 4 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 4 additions & 3 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 4 additions & 3 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 1 addition & 0 deletions b/‎coderd/database/dump.sql
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/migrations/000334_add_organization_port_sharing_level.down.sql
Lines changed: 113 additions & 0 deletions b/‎coderd/database/migrations/000334_add_organization_port_sharing_level.down.sql
Lines changed: 113 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000334_add_organization_port_sharing_level.up.sql
Lines changed: 96 additions & 0 deletions b/‎coderd/database/migrations/000334_add_organization_port_sharing_level.up.sql
Lines changed: 96 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 3 additions & 0 deletions b/‎coderd/database/models.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/workspaceapps/db.go
Lines changed: 47 additions & 0 deletions b/‎coderd/workspaceapps/db.go
Lines changed: 47 additions & 0 deletions
@@ -0,0 +1,113 @@
+-- Remove 'organization' from the app_sharing_level enum
+
+-- Drop the view that depends on the templates table
+DROP VIEW template_with_names;
+
+CREATE TYPE new_app_sharing_level AS ENUM (
+	'owner',
+	'authenticated',
+	'public'
+);
+
+-- Update workspace_agent_port_share table to use old enum
+-- Convert any 'organization' values to 'authenticated' during downgrade
+ALTER TABLE workspace_agent_port_share
+	ALTER COLUMN share_level TYPE new_app_sharing_level USING (
+		CASE
+			WHEN share_level = 'organization' THEN 'authenticated'::new_app_sharing_level
+			ELSE share_level::text::new_app_sharing_level
+		END
+	);
+
+-- Update workspace_apps table to use old enum
+-- Convert any 'organization' values to 'authenticated' during downgrade
+ALTER TABLE workspace_apps
+	ALTER COLUMN sharing_level DROP DEFAULT,
+	ALTER COLUMN sharing_level TYPE new_app_sharing_level USING (
+		CASE
+			WHEN sharing_level = 'organization' THEN 'authenticated'::new_app_sharing_level
+			ELSE sharing_level::text::new_app_sharing_level
+		END
+	),
+	ALTER COLUMN sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Update templates table to use old enum
+-- Convert any 'organization' values to 'authenticated' during downgrade
+ALTER TABLE templates
+	ALTER COLUMN max_port_sharing_level DROP DEFAULT,
+	ALTER COLUMN max_port_sharing_level TYPE new_app_sharing_level USING (
+		CASE
+			WHEN max_port_sharing_level = 'organization' THEN 'authenticated'::new_app_sharing_level
+			ELSE max_port_sharing_level::text::new_app_sharing_level
+		END
+	),
+	ALTER COLUMN max_port_sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Drop old enum and rename new one
+DROP TYPE app_sharing_level;
+ALTER TYPE new_app_sharing_level RENAME TO app_sharing_level;
+
+-- Recreate the template_with_names view
+CREATE VIEW template_with_names AS
+SELECT
+    templates.id,
+    templates.created_at,
+    templates.updated_at,
+    templates.organization_id,
+    templates.deleted,
+    templates.name,
+    templates.provisioner,
+    templates.active_version_id,
+    templates.description,
+    templates.default_ttl,
+    templates.created_by,
+    templates.icon,
+    templates.user_acl,
+    templates.group_acl,
+    templates.display_name,
+    templates.allow_user_cancel_workspace_jobs,
+    templates.allow_user_autostart,
+    templates.allow_user_autostop,
+    templates.failure_ttl,
+    templates.time_til_dormant,
+    templates.time_til_dormant_autodelete,
+    templates.autostop_requirement_days_of_week,
+    templates.autostop_requirement_weeks,
+    templates.autostart_block_days_of_week,
+    templates.require_active_version,
+    templates.deprecated,
+    templates.activity_bump,
+    templates.max_port_sharing_level,
+    templates.use_classic_parameter_flow,
+    COALESCE(
+        visible_users.avatar_url,
+        ''::text
+    ) AS created_by_avatar_url,
+    COALESCE(
+        visible_users.username,
+        ''::text
+    ) AS created_by_username,
+    COALESCE(visible_users.name, ''::text) AS created_by_name,
+    COALESCE(organizations.name, ''::text) AS organization_name,
+    COALESCE(
+        organizations.display_name,
+        ''::text
+    ) AS organization_display_name,
+    COALESCE(organizations.icon, ''::text) AS organization_icon
+FROM (
+        (
+            templates
+            LEFT JOIN visible_users ON (
+                (
+                    templates.created_by = visible_users.id
+                )
+            )
+        )
+        LEFT JOIN organizations ON (
+            (
+                templates.organization_id = organizations.id
+            )
+        )
+    );
+
+COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';
@@ -0,0 +1,96 @@
+-- Add 'organization' to the app_sharing_level enum
+
+-- Drop the view that depends on the templates table
+DROP VIEW template_with_names;
+
+CREATE TYPE new_app_sharing_level AS ENUM (
+	'owner',
+	'authenticated',
+	'organization',
+	'public'
+);
+
+-- Update workspace_agent_port_share table to use new enum
+ALTER TABLE workspace_agent_port_share
+	ALTER COLUMN share_level TYPE new_app_sharing_level USING (share_level::text::new_app_sharing_level);
+
+-- Update workspace_apps table to use new enum
+ALTER TABLE workspace_apps
+	ALTER COLUMN sharing_level DROP DEFAULT,
+	ALTER COLUMN sharing_level TYPE new_app_sharing_level USING (sharing_level::text::new_app_sharing_level),
+	ALTER COLUMN sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Update templates table to use new enum
+ALTER TABLE templates
+	ALTER COLUMN max_port_sharing_level DROP DEFAULT,
+	ALTER COLUMN max_port_sharing_level TYPE new_app_sharing_level USING (max_port_sharing_level::text::new_app_sharing_level),
+	ALTER COLUMN max_port_sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Drop old enum and rename new one
+DROP TYPE app_sharing_level;
+ALTER TYPE new_app_sharing_level RENAME TO app_sharing_level;
+
+-- Recreate the template_with_names view
+CREATE VIEW template_with_names AS
+SELECT
+    templates.id,
+    templates.created_at,
+    templates.updated_at,
+    templates.organization_id,
+    templates.deleted,
+    templates.name,
+    templates.provisioner,
+    templates.active_version_id,
+    templates.description,
+    templates.default_ttl,
+    templates.created_by,
+    templates.icon,
+    templates.user_acl,
+    templates.group_acl,
+    templates.display_name,
+    templates.allow_user_cancel_workspace_jobs,
+    templates.allow_user_autostart,
+    templates.allow_user_autostop,
+    templates.failure_ttl,
+    templates.time_til_dormant,
+    templates.time_til_dormant_autodelete,
+    templates.autostop_requirement_days_of_week,
+    templates.autostop_requirement_weeks,
+    templates.autostart_block_days_of_week,
+    templates.require_active_version,
+    templates.deprecated,
+    templates.activity_bump,
+    templates.max_port_sharing_level,
+    templates.use_classic_parameter_flow,
+    COALESCE(
+        visible_users.avatar_url,
+        ''::text
+    ) AS created_by_avatar_url,
+    COALESCE(
+        visible_users.username,
+        ''::text
+    ) AS created_by_username,
+    COALESCE(visible_users.name, ''::text) AS created_by_name,
+    COALESCE(organizations.name, ''::text) AS organization_name,
+    COALESCE(
+        organizations.display_name,
+        ''::text
+    ) AS organization_display_name,
+    COALESCE(organizations.icon, ''::text) AS organization_icon
+FROM (
+        (
+            templates
+            LEFT JOIN visible_users ON (
+                (
+                    templates.created_by = visible_users.id
+                )
+            )
+        )
+        LEFT JOIN organizations ON (
+            (
+                templates.organization_id = organizations.id
+            )
+        )
+    );
+
+COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';
@@ -316,6 +316,32 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
 		return false, warnings, nil
 	}
 
+	// For organization level path-based apps, block access if path app sharing is disabled
+	// and the user is not in the same organization
+	if isPathApp &&
+		sharingLevel == database.AppSharingLevelOrganization &&
+		!p.DeploymentValues.Dangerous.AllowPathAppSharing.Value() {
+		// Check if user is in the same organization as the workspace
+		workspaceOrgID := dbReq.Workspace.OrganizationID
+		inSameOrg := false
+		expandedRoles, err := roles.Roles.Expand()
+		if err != nil {
+			return false, warnings, xerrors.Errorf("expand roles: %w", err)
+		}
+		for _, role := range expandedRoles {
+			if _, ok := role.Org[workspaceOrgID.String()]; ok {
+				inSameOrg = true
+				break
+			}
+		}
+		if !inSameOrg {
+			if roles != nil && slices.Contains(roles.Roles.Names(), rbac.RoleOwner()) {
+				warnings = append(warnings, "path-based apps with \"organization\" share level are only accessible by organization members (see --dangerous-allow-path-app-sharing)")
+			}
+			return false, warnings, nil
+		}
+	}
+
 	// Figure out which RBAC resource to check. For terminals we use execution
 	// instead of application connect.
 	var (
@@ -354,6 +380,27 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
 		if err == nil {
 			return true, []string{}, nil
 		}
+	case database.AppSharingLevelOrganization:
+		// Check if the user is a member of the same organization as the workspace
+		// First check if they have permission to connect to their own workspace (enforces scopes)
+		err := p.Authorizer.Authorize(ctx, *roles, rbacAction, rbacResourceOwned)
+		if err != nil {
+			return false, warnings, nil
+		}
+
+		// Check if the user is a member of the workspace's organization
+		workspaceOrgID := dbReq.Workspace.OrganizationID
+		expandedRoles, err := roles.Roles.Expand()
+		if err != nil {
+			return false, warnings, xerrors.Errorf("expand roles: %w", err)
+		}
+		for _, role := range expandedRoles {
+			if _, ok := role.Org[workspaceOrgID.String()]; ok {
+				return true, []string{}, nil
+			}
+		}
+		// User is not a member of the workspace's organization
+		return false, warnings, nil
 	case database.AppSharingLevelPublic:
 		// We don't really care about scopes and stuff if it's public anyways.
 		// Someone with a restricted-scope API key could just not submit the API