handle template acl perms

Emyrk · Emyrk · commit 560451784e7e · 2025-01-08T14:46:41.000-06:00
diff --git a/coderd/database/migrations/000283_template_read_to_use.down.sql b/coderd/database/migrations/000283_template_read_to_use.down.sql
@@ -0,0 +1,9 @@
+-- With the "use" verb now existing for templates, we need to update the acl's to
+-- include "use" where the permissions set ["read"] is present.
+-- The other permission set is ["*"] which is unaffected.
+
+UPDATE
+	templates
+SET
+	group_acl = replace(group_acl::text, '["read", "use"]', '["read"]')::jsonb,
+	user_acl = replace(user_acl::text, '["read", "use"]', '["read"]')::jsonb
diff --git a/coderd/database/migrations/000283_template_read_to_use.up.sql b/coderd/database/migrations/000283_template_read_to_use.up.sql
@@ -0,0 +1,12 @@
+-- With the "use" verb now existing for templates, we need to update the acl's to
+-- include "use" where the permissions set ["read"] is present.
+-- The other permission set is ["*"] which is unaffected.
+
+UPDATE
+	templates
+SET
+	-- Instead of trying to write a complicated SQL query to update the JSONB
+	-- object, a string replace is much simpler and easier to understand.
+	-- Both pieces of text are JSON arrays, so this safe to do.
+	group_acl = replace(group_acl::text, '["read"]', '["read", "use"]')::jsonb,
+	user_acl = replace(user_acl::text, '["read"]', '["read", "use"]')::jsonb
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -133,8 +133,7 @@ var RBACPermissions = map[string]PermissionDefinition{
 	},
 	"template": {
 		Actions: map[Action]ActionDefinition{
-			ActionCreate: actDef("create a template"),
-			// TODO: Create a use permission maybe?
+			ActionCreate:       actDef("create a template"),
 			ActionUse:          actDef("use the template to create a workspace"),
 			ActionRead:         actDef("read template"),
 			ActionUpdate:       actDef("update a template"),
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -318,7 +318,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Identifier:  RoleTemplateAdmin(),
 		DisplayName: "Template Admin",
 		Site: Permissions(map[string][]policy.Action{
-			ResourceTemplate.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
+			ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
 			// CRUD all files, even those they did not upload.
 			ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
 			ResourceWorkspace.Type: {policy.ActionRead},
@@ -476,7 +476,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
-						ResourceTemplate.Type:  {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
+						ResourceTemplate.Type:  ResourceTemplate.AvailableActions(),
 						ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
 						ResourceWorkspace.Type: {policy.ActionRead},
 						// Assigning template perms requires this permission.
diff --git a/enterprise/coderd/templates.go b/enterprise/coderd/templates.go
@@ -16,6 +16,7 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
 )
 
@@ -326,7 +327,7 @@ func validateTemplateRole(role codersdk.TemplateRole) error {
 
 func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
 	switch {
-	case len(actions) == 1 && actions[0] == policy.ActionRead:
+	case len(actions) == 2 && slice.SameElements(actions, []policy.Action{policy.ActionUse, policy.ActionRead}):
 		return codersdk.TemplateRoleUse
 	case len(actions) == 1 && actions[0] == policy.WildcardSymbol:
 		return codersdk.TemplateRoleAdmin
@@ -340,7 +341,7 @@ func convertSDKTemplateRole(role codersdk.TemplateRole) []policy.Action {
 	case codersdk.TemplateRoleAdmin:
 		return []policy.Action{policy.WildcardSymbol}
 	case codersdk.TemplateRoleUse:
-		return []policy.Action{policy.ActionRead}
+		return []policy.Action{policy.ActionRead, policy.ActionUse}
 	}
 
 	return nil
