feat!: drop reading other 'user' permission (#8650)

* feat: drop reading other 'user' permission Members of the platform can no longer read or list other users. Resources that have "created_by" or "initiated_by" still retain user context, but only include username and avatar url. Attempting to read a user found via those means will result in a 404. * Hide /users page for regular users * make groups a privledged endpoint * Permissions page for template perms * Admin for a given template enables an endpoint for listing users/groups.
2025-07-06 15:41:45 +00:00 · 2023-07-26 10:33:48 -04:00
parent 8649a10441
commit 2089006fbc
31 changed files with 585 additions and 125 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -202,6 +202,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				apiKeyMiddleware,
 				httpmw.ExtractTemplateParam(api.Database),
 			)
+			r.Get("/available", api.templateAvailablePermissions)
 			r.Get("/", api.templateACL)
 			r.Patch("/", api.patchTemplateACL)
 		})