feat: Add rbac to templateversion+orgmember endpoints (#1713)

coderd/rbac/builtin.go

@@ -135,6 +135,12 @@ var (
 							Action:       ActionRead,
 							ResourceID:   "*",
 						},
+						{
+							// Can read available roles.
+							ResourceType: ResourceOrgRoleAssignment.Type,
+							ResourceID:   "*",
+							Action:       ActionRead,
+						},
 					},
 				},
 			}
@@ -217,6 +223,37 @@ func SiteRoles() []Role {
 	return roles
 }
 
+// ChangeRoleSet is a helper function that finds the difference of 2 sets of
+// roles. When setting a user's new roles, it is equivalent to adding and
+// removing roles. This set determines the changes, so that the appropriate
+// RBAC checks can be applied using "ActionCreate" and "ActionDelete" for
+// "added" and "removed" roles respectively.
+func ChangeRoleSet(from []string, to []string) (added []string, removed []string) {
+	has := make(map[string]struct{})
+	for _, exists := range from {
+		has[exists] = struct{}{}
+	}
+
+	for _, roleName := range to {
+		// If the user already has the role assigned, we don't need to check the permission
+		// to reassign it. Only run permission checks on the difference in the set of
+		// roles.
+		if _, ok := has[roleName]; ok {
+			delete(has, roleName)
+			continue
+		}
+
+		added = append(added, roleName)
+	}
+
+	// Remaining roles are the ones removed/deleted.
+	for roleName := range has {
+		removed = append(removed, roleName)
+	}
+
+	return added, removed
+}
+
 // roleName is a quick helper function to return
 // 	role_name:scopeID
 // If no scopeID is required, only 'role_name' is returned