coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 55 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 55 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 51 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 51 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 4 additions & 4 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎coderd/rbac/roles.go
Lines changed: 9 additions & 9 deletions b/‎coderd/rbac/roles.go
Lines changed: 9 additions & 9 deletions
diff --git a/‎coderd/users.go
Lines changed: 41 additions & 42 deletions b/‎coderd/users.go
Lines changed: 41 additions & 42 deletions
diff --git a/‎codersdk/templates.go
Lines changed: 7 additions & 0 deletions b/‎codersdk/templates.go
Lines changed: 7 additions & 0 deletions
@@ -2614,24 +2614,24 @@ func (q *querier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTe
 }
 
 func (q *querier) GetTemplateGroupRoles(ctx context.Context, id uuid.UUID) ([]database.TemplateGroup, error) {
-	// An actor is authorized to read template group roles if they are authorized to read the template.
+	// An actor is authorized to read template group roles if they are authorized to update the template.
 	template, err := q.db.GetTemplateByID(ctx, id)
 	if err != nil {
 		return nil, err
 	}
-	if err := q.authorizeContext(ctx, rbac.ActionRead, template); err != nil {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {
 		return nil, err
 	}
 	return q.db.GetTemplateGroupRoles(ctx, id)
 }
 
 func (q *querier) GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]database.TemplateUser, error) {
-	// An actor is authorized to query template user roles if they are authorized to read the template.
+	// An actor is authorized to query template user roles if they are authorized to update the template.
 	template, err := q.db.GetTemplateByID(ctx, id)
 	if err != nil {
 		return nil, err
 	}
-	if err := q.authorizeContext(ctx, rbac.ActionRead, template); err != nil {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {
 		return nil, err
 	}
 	return q.db.GetTemplateUserRoles(ctx, id)
 
@@ -168,6 +168,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			ResourceTemplate.Type: {ActionRead},
 			ResourceAuditLog.Type: {ActionRead},
 			ResourceUser.Type:     {ActionRead},
+			ResourceGroup.Type:    {ActionRead},
+			// Org roles are not really used yet, so grant the perm at the site level.
+			ResourceOrganizationMember.Type: {ActionRead},
 		}),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -186,6 +189,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			// Needs to read all organizations since
 			ResourceOrganization.Type: {ActionRead},
 			ResourceUser.Type:         {ActionRead},
+			ResourceGroup.Type:        {ActionRead},
+			// Org roles are not really used yet, so grant the perm at the site level.
+			ResourceOrganizationMember.Type: {ActionRead},
 		}),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -200,6 +206,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			// Full perms to manage org members
 			ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 			ResourceGroup.Type:              {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+
+			// Org roles are not really used yet, so grant the perm at the site level.
+			ResourceOrganizationMember.Type: {ActionRead},
 		}),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -255,11 +264,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID: {
-						{
-							// All org members can read the other members in their org.
-							ResourceType: ResourceOrganizationMember.Type,
-							Action:       ActionRead,
-						},
 						{
 							// All org members can read the organization
 							ResourceType: ResourceOrganization.Type,
@@ -270,10 +274,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 							ResourceType: ResourceOrgRoleAssignment.Type,
 							Action:       ActionRead,
 						},
-						{
-							ResourceType: ResourceGroup.Type,
-							Action:       ActionRead,
-						},
 					},
 				},
 				User: []Permission{},
 
@@ -182,6 +182,40 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
 // @Success 200 {object} codersdk.GetUsersResponse
 // @Router /users [get]
 func (api *API) users(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	users, userCount, ok := api.GetUsers(rw, r)
+	if !ok {
+		return
+	}
+
+	userIDs := make([]uuid.UUID, 0, len(users))
+	for _, user := range users {
+		userIDs = append(userIDs, user.ID)
+	}
+	organizationIDsByMemberIDsRows, err := api.Database.GetOrganizationIDsByMemberIDs(ctx, userIDs)
+	if xerrors.Is(err, sql.ErrNoRows) {
+		err = nil
+	}
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching user's organizations.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	organizationIDsByUserID := map[uuid.UUID][]uuid.UUID{}
+	for _, organizationIDsByMemberIDsRow := range organizationIDsByMemberIDsRows {
+		organizationIDsByUserID[organizationIDsByMemberIDsRow.UserID] = organizationIDsByMemberIDsRow.OrganizationIDs
+	}
+
+	render.Status(r, http.StatusOK)
+	render.JSON(rw, r, codersdk.GetUsersResponse{
+		Users: convertUsers(users, organizationIDsByUserID),
+		Count: int(userCount),
+	})
+}
+
+func (api *API) GetUsers(rw http.ResponseWriter, r *http.Request) ([]database.User, int64, bool) {
 	ctx := r.Context()
 	query := r.URL.Query().Get("q")
 	params, errs := searchquery.Users(query)
@@ -190,12 +224,12 @@ func (api *API) users(rw http.ResponseWriter, r *http.Request) {
 			Message:     "Invalid user search query.",
 			Validations: errs,
 		})
-		return
+		return nil, -1, false
 	}
 
 	paginationParams, ok := parsePagination(rw, r)
 	if !ok {
-		return
+		return nil, -1, false
 	}
 
 	userRows, err := api.Database.GetUsers(ctx, database.GetUsersParams{
@@ -213,52 +247,17 @@ func (api *API) users(rw http.ResponseWriter, r *http.Request) {
 			Message: "Internal error fetching users.",
 			Detail:  err.Error(),
 		})
-		return
+		return nil, -1, false
 	}
+
 	// GetUsers does not return ErrNoRows because it uses a window function to get the count.
 	// So we need to check if the userRows is empty and return an empty array if so.
 	if len(userRows) == 0 {
-		httpapi.Write(ctx, rw, http.StatusOK, codersdk.GetUsersResponse{
-			Users: []codersdk.User{},
-			Count: 0,
-		})
-		return
-	}
-
-	users, err := AuthorizeFilter(api.HTTPAuth, r, rbac.ActionRead, database.ConvertUserRows(userRows))
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching users.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	userIDs := make([]uuid.UUID, 0, len(users))
-	for _, user := range users {
-		userIDs = append(userIDs, user.ID)
-	}
-	organizationIDsByMemberIDsRows, err := api.Database.GetOrganizationIDsByMemberIDs(ctx, userIDs)
-	if xerrors.Is(err, sql.ErrNoRows) {
-		err = nil
-	}
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching user's organizations.",
-			Detail:  err.Error(),
-		})
-		return
-	}
-	organizationIDsByUserID := map[uuid.UUID][]uuid.UUID{}
-	for _, organizationIDsByMemberIDsRow := range organizationIDsByMemberIDsRows {
-		organizationIDsByUserID[organizationIDsByMemberIDsRow.UserID] = organizationIDsByMemberIDsRow.OrganizationIDs
+		return []database.User{}, -1, true
 	}
 
-	render.Status(r, http.StatusOK)
-	render.JSON(rw, r, codersdk.GetUsersResponse{
-		Users: convertUsers(users, organizationIDsByUserID),
-		Count: int(userRows[0].Count),
-	})
+	users := database.ConvertUserRows(userRows)
+	return users, userRows[0].Count, true
 }
 
 // Creates a new user.
 
@@ -167,6 +167,13 @@ type UpdateTemplateACL struct {
 	GroupPerms map[string]TemplateRole `json:"group_perms,omitempty" example:"<user_id>>:admin,8bd26b20-f3e8-48be-a903-46bb920cf671:use"`
 }
 
+// ACLAvailable is a list of users and groups that can be added to a template
+// ACL.
+type ACLAvailable struct {
+	Users  []MinimalUser `json:"users"`
+	Groups []Group       `json:"groups"`
+}
+
 type UpdateTemplateMeta struct {
 	Name             string `json:"name,omitempty" validate:"omitempty,template_name"`
 	DisplayName      string `json:"display_name,omitempty" validate:"omitempty,template_display_name"`
Original file line number	Diff line number	Diff line change
`@@ -2614,24 +2614,24 @@ func (q *querier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTe`
`2614`	`2614`	`}`
`2615`	`2615`
`2616`	`2616`	`func (q *querier) GetTemplateGroupRoles(ctx context.Context, id uuid.UUID) ([]database.TemplateGroup, error) {`
`2617`		`- // An actor is authorized to read template group roles if they are authorized to read the template.`
	`2617`	`+ // An actor is authorized to read template group roles if they are authorized to update the template.`
`2618`	`2618`	`template, err := q.db.GetTemplateByID(ctx, id)`
`2619`	`2619`	`if err != nil {`
`2620`	`2620`	`return nil, err`
`2621`	`2621`	`}`
`2622`		`- if err := q.authorizeContext(ctx, rbac.ActionRead, template); err != nil {`
	`2622`	`+ if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {`
`2623`	`2623`	`return nil, err`
`2624`	`2624`	`}`
`2625`	`2625`	`return q.db.GetTemplateGroupRoles(ctx, id)`
`2626`	`2626`	`}`
`2627`	`2627`
`2628`	`2628`	`func (q *querier) GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]database.TemplateUser, error) {`
`2629`		`- // An actor is authorized to query template user roles if they are authorized to read the template.`
	`2629`	`+ // An actor is authorized to query template user roles if they are authorized to update the template.`
`2630`	`2630`	`template, err := q.db.GetTemplateByID(ctx, id)`
`2631`	`2631`	`if err != nil {`
`2632`	`2632`	`return nil, err`
`2633`	`2633`	`}`
`2634`		`- if err := q.authorizeContext(ctx, rbac.ActionRead, template); err != nil {`
	`2634`	`+ if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {`
`2635`	`2635`	`return nil, err`
`2636`	`2636`	`}`
`2637`	`2637`	`return q.db.GetTemplateUserRoles(ctx, id)`