coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 11 additions & 11 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 11 additions & 11 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 72 additions & 2 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 72 additions & 2 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 1 addition & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/migrations/000209_custom_roles.up.sql
Lines changed: 1 addition & 1 deletion b/‎coderd/database/migrations/000209_custom_roles.up.sql
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/migrations/testdata/fixtures/000209_custom_roles.up.sql
Lines changed: 1 addition & 1 deletion b/‎coderd/database/migrations/testdata/fixtures/000209_custom_roles.up.sql
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/models.go
Lines changed: 1 addition & 1 deletion b/‎coderd/database/models.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 46 additions & 12 deletions b/‎coderd/database/queries.sql.go
Lines changed: 46 additions & 12 deletions
diff --git a/‎coderd/database/queries/roles.sql
Lines changed: 2 additions & 2 deletions b/‎coderd/database/queries/roles.sql
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/rbac/object_gen.go
Lines changed: 2 additions & 1 deletion b/‎coderd/rbac/object_gen.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/rbac/policy/policy.go
Lines changed: 2 additions & 1 deletion b/‎coderd/rbac/policy/policy.go
Lines changed: 2 additions & 1 deletion
@@ -597,7 +597,7 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r
 	}
 
 	grantedRoles := append(added, removed...)
-	notBuiltInRoles := make([]string, 0)
+	customRoles := make([]string, 0)
 	// Validate that the roles being assigned are valid.
 	for _, r := range grantedRoles {
 		_, isOrgRole := rbac.IsOrgRole(r)
@@ -610,25 +610,25 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r
 
 		// All roles should be valid roles
 		if _, err := rbac.RoleByName(r); err != nil {
-			notBuiltInRoles = append(notBuiltInRoles, r)
+			customRoles = append(customRoles, r)
 		}
 	}
 
-	notBuiltInRolesMap := make(map[string]struct{}, len(notBuiltInRoles))
-	for _, r := range notBuiltInRoles {
-		notBuiltInRolesMap[r] = struct{}{}
+	customRolesMap := make(map[string]struct{}, len(customRoles))
+	for _, r := range customRoles {
+		customRolesMap[r] = struct{}{}
 	}
 
-	if len(notBuiltInRoles) > 0 {
-		customRoles, err := q.CustomRolesByName(ctx, notBuiltInRoles)
+	if len(customRoles) > 0 {
+		customRoles, err := q.CustomRolesByName(ctx, customRoles)
 		if err != nil {
 			return xerrors.Errorf("fetching custom roles: %w", err)
 		}
 
 		// If the lists are not identical, then have a problem, as some roles
 		// provided do no exist.
-		if len(customRoles) != len(notBuiltInRoles) {
-			for _, role := range notBuiltInRoles {
+		if len(customRoles) != len(customRoles) {
+			for _, role := range customRoles {
 				// Stop at the first one found. We could make a better error that
 				// returns them all, but then someone could pass in a large list to make us do
 				// a lot of loop iterations.
@@ -654,7 +654,7 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r
 	}
 
 	for _, roleName := range grantedRoles {
-		if _, isCustom := notBuiltInRolesMap[roleName]; isCustom {
+		if _, isCustom := customRolesMap[roleName]; isCustom {
 			// For now, use a constant name so our static assign map still works.
 			roleName = rbac.CustomSiteRole()
 		}
@@ -750,7 +750,7 @@ func (q *querier) customRoleEscalationCheck(ctx context.Context, actor rbac.Subj
 
 	if perm.Action == policy.WildcardSymbol || perm.ResourceType == policy.WildcardSymbol {
 		// It is possible to check for supersets with wildcards, but wildcards can also
-		// include resources and actions that do not exist. Custom roles should only be allowed
+		// include resources and actions that do not exist today. Custom roles should only be allowed
 		// to include permissions for existing resources.
 		return xerrors.Errorf("invalid permission for action=%q type=%q, no wildcard symbols", perm.Action, perm.ResourceType)
 	}
 
@@ -3168,6 +3168,30 @@ func (q *FakeQuerier) GetTemplateAppInsights(ctx context.Context, arg database.G
 			GROUP BY
 				start_time, user_id, slug, display_name, icon
 		),
+		-- Analyze the users unique app usage across all templates. Count
+		-- usage across consecutive intervals as continuous usage.
+		times_used AS (
+			SELECT DISTINCT ON (user_id, slug, display_name, icon, uniq)
+				slug,
+				display_name,
+				icon,
+				-- Turn start_time into a unique identifier that identifies a users
+				-- continuous app usage. The value of uniq is otherwise garbage.
+				--
+				-- Since we're aggregating per user app usage across templates,
+				-- there can be duplicate start_times. To handle this, we use the
+				-- dense_rank() function, otherwise row_number() would suffice.
+				start_time - (
+					dense_rank() OVER (
+						PARTITION BY
+							user_id, slug, display_name, icon
+						ORDER BY
+							start_time
+					) * '30 minutes'::interval
+				) AS uniq
+			FROM
+				template_usage_stats_with_apps
+		),
 	*/
 
 	// Due to query optimizations, this logic is somewhat inverted from
@@ -3179,12 +3203,19 @@ func (q *FakeQuerier) GetTemplateAppInsights(ctx context.Context, arg database.G
 		DisplayName string
 		Icon        string
 	}
+	type appTimesUsedGroupBy struct {
+		UserID      uuid.UUID
+		Slug        string
+		DisplayName string
+		Icon        string
+	}
 	type appInsightsRow struct {
 		appInsightsGroupBy
 		TemplateIDs  []uuid.UUID
 		AppUsageMins int64
 	}
 	appInsightRows := make(map[appInsightsGroupBy]appInsightsRow)
+	appTimesUsedRows := make(map[appTimesUsedGroupBy]map[time.Time]struct{})
 	// FROM
 	for _, stat := range q.templateUsageStats {
 		// WHERE
@@ -3220,9 +3251,42 @@ func (q *FakeQuerier) GetTemplateAppInsights(ctx context.Context, arg database.G
 			row.TemplateIDs = append(row.TemplateIDs, stat.TemplateID)
 			row.AppUsageMins = least(row.AppUsageMins+appUsage, 30)
 			appInsightRows[key] = row
+
+			// Prepare to do times_used calculation, distinct start times.
+			timesUsedKey := appTimesUsedGroupBy{
+				UserID:      stat.UserID,
+				Slug:        slug,
+				DisplayName: app.DisplayName,
+				Icon:        app.Icon,
+			}
+			if appTimesUsedRows[timesUsedKey] == nil {
+				appTimesUsedRows[timesUsedKey] = make(map[time.Time]struct{})
+			}
+			// This assigns a distinct time, so we don't need to
+			// dense_rank() later on, we can simply do row_number().
+			appTimesUsedRows[timesUsedKey][stat.StartTime] = struct{}{}
 		}
 	}
 
+	appTimesUsedTempRows := make(map[appTimesUsedGroupBy][]time.Time)
+	for key, times := range appTimesUsedRows {
+		for t := range times {
+			appTimesUsedTempRows[key] = append(appTimesUsedTempRows[key], t)
+		}
+	}
+	for _, times := range appTimesUsedTempRows {
+		slices.SortFunc(times, func(a, b time.Time) int {
+			return int(a.Sub(b))
+		})
+	}
+	for key, times := range appTimesUsedTempRows {
+		uniq := make(map[time.Time]struct{})
+		for i, t := range times {
+			uniq[t.Add(-(30 * time.Minute * time.Duration(i)))] = struct{}{}
+		}
+		appTimesUsedRows[key] = uniq
+	}
+
 	/*
 		-- Even though we allow identical apps to be aggregated across
 		-- templates, we still want to be able to report which templates
@@ -3307,14 +3371,20 @@ func (q *FakeQuerier) GetTemplateAppInsights(ctx context.Context, arg database.G
 
 	var rows []database.GetTemplateAppInsightsRow
 	for key, gr := range groupedRows {
-		rows = append(rows, database.GetTemplateAppInsightsRow{
+		row := database.GetTemplateAppInsightsRow{
 			TemplateIDs:  templateRows[key].TemplateIDs,
 			ActiveUsers:  int64(len(uniqueSortedUUIDs(gr.ActiveUserIDs))),
 			Slug:         key.Slug,
 			DisplayName:  key.DisplayName,
 			Icon:         key.Icon,
 			UsageSeconds: gr.UsageSeconds,
-		})
+		}
+		for tuk, uniq := range appTimesUsedRows {
+			if key.Slug == tuk.Slug && key.DisplayName == tuk.DisplayName && key.Icon == tuk.Icon {
+				row.TimesUsed += int64(len(uniq))
+			}
+		}
+		rows = append(rows, row)
 	}
 
 	// NOTE(mafredri): Add sorting if we decide on how to handle PostgreSQL collations.
 
@@ -18,7 +18,7 @@ CREATE TABLE custom_roles (
 
 	-- extra convenience meta data.
 	created_at timestamp with time zone NOT NULL DEFAULT CURRENT_TIMESTAMP,
-	last_updated timestamp with time zone NOT NULL DEFAULT CURRENT_TIMESTAMP
+	updated_at timestamp with time zone NOT NULL DEFAULT CURRENT_TIMESTAMP
 );
 
 -- Ensure no case variants of the same roles
 
@@ -6,7 +6,7 @@ INSERT INTO
 	org_permissions,
 	user_permissions,
 	created_at,
-	last_updated
+	updated_at
 )
 VALUES
 	(
 
@@ -18,7 +18,7 @@ INSERT INTO
 	    org_permissions,
 	    user_permissions,
 	    created_at,
-		last_updated
+		updated_at
 )
 VALUES (
         -- Always force lowercase names
@@ -36,6 +36,6 @@ ON CONFLICT (name)
 	site_permissions = @site_permissions,
 	org_permissions = @org_permissions,
 	user_permissions = @user_permissions,
-	last_updated = now()
+	updated_at = now()
 RETURNING *
 ;
@@ -209,7 +209,8 @@ var RBACPermissions = map[string]PermissionDefinition{
 		Actions: map[Action]ActionDefinition{
 			ActionAssign: actDef("ability to assign roles"),
 			ActionRead:   actDef("view what roles are assignable"),
-			ActionDelete: actDef("ability to delete roles"),
+			ActionDelete: actDef("ability to unassign roles"),
+			ActionCreate: actDef("ability to create/delete/edit custom roles"),
 		},
 	},
 	"assign_org_role": {
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ INSERT INTO`
`6`	`6`	`org_permissions,`
`7`	`7`	`user_permissions,`
`8`	`8`	`created_at,`
`9`		`- last_updated`
	`9`	`+ updated_at`
`10`	`10`	`)`
`11`	`11`	`VALUES`
`12`	`12`	`(`