feat!: drop reading other 'user' permission (#8650)

* feat: drop reading other 'user' permission Members of the platform can no longer read or list other users. Resources that have "created_by" or "initiated_by" still retain user context, but only include username and avatar url. Attempting to read a user found via those means will result in a 404. * Hide /users page for regular users * make groups a privledged endpoint * Permissions page for template perms * Admin for a given template enables an endpoint for listing users/groups.
2025-07-06 15:41:45 +00:00 · 2023-07-26 10:33:48 -04:00
parent 8649a10441
commit 2089006fbc
31 changed files with 585 additions and 125 deletions
--- a/enterprise/coderd/groups_test.go
+++ b/enterprise/coderd/groups_test.go
@ -474,9 +474,8 @@ func TestGroup(t *testing.T) {
 		})
 		require.NoError(t, err)

-		ggroup, err := client1.Group(ctx, group.ID)
-		require.NoError(t, err)
-		require.Equal(t, group, ggroup)
+		_, err = client1.Group(ctx, group.ID)
+		require.Error(t, err, "regular users cannot read groups")
 	})

 	t.Run("FilterDeletedUsers", func(t *testing.T) {