chore: implement 'use' verb to template object, read has less scope now (#16075)

Template `use` is now a verb. - Template admins can `use` all templates (org template admins same in org) - Members get the `use` perm from the `everyone` group in the `group_acl`.
2025-07-08 11:39:50 +00:00 · 2025-01-17 11:55:41 -06:00
parent 3217cb85f6
commit f34e6fd92c
17 changed files with 128 additions and 28 deletions
--- a/enterprise/coderd/templates.go
+++ b/enterprise/coderd/templates.go
@ -16,6 +16,7 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/codersdk"
 )

@ -222,7 +223,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
 					delete(template.UserACL, id)
 					continue
 				}
-				template.UserACL[id] = convertSDKTemplateRole(role)
+				template.UserACL[id] = db2sdk.TemplateRoleActions(role)
 			}
 		}

@ -234,7 +235,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
 					delete(template.GroupACL, id)
 					continue
 				}
-				template.GroupACL[id] = convertSDKTemplateRole(role)
+				template.GroupACL[id] = db2sdk.TemplateRoleActions(role)
 			}
 		}

@ -316,8 +317,8 @@ func convertTemplateUsers(tus []database.TemplateUser, orgIDsByUserIDs map[uuid.
 }

 func validateTemplateRole(role codersdk.TemplateRole) error {
-	actions := convertSDKTemplateRole(role)
-	if actions == nil && role != codersdk.TemplateRoleDeleted {
+	actions := db2sdk.TemplateRoleActions(role)
+	if len(actions) == 0 && role != codersdk.TemplateRoleDeleted {
 		return xerrors.Errorf("role %q is not a valid Template role", role)
 	}

@ -326,7 +327,7 @@ func validateTemplateRole(role codersdk.TemplateRole) error {

 func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
 	switch {
-	case len(actions) == 1 && actions[0] == policy.ActionRead:
+	case len(actions) == 2 && slice.SameElements(actions, []policy.Action{policy.ActionUse, policy.ActionRead}):
 		return codersdk.TemplateRoleUse
 	case len(actions) == 1 && actions[0] == policy.WildcardSymbol:
 		return codersdk.TemplateRoleAdmin
@ -335,17 +336,6 @@ func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
 	return ""
 }

-func convertSDKTemplateRole(role codersdk.TemplateRole) []policy.Action {
-	switch role {
-	case codersdk.TemplateRoleAdmin:
-		return []policy.Action{policy.WildcardSymbol}
-	case codersdk.TemplateRoleUse:
-		return []policy.Action{policy.ActionRead}
-	}
-
-	return nil
-}
-
 // TODO move to api.RequireFeatureMW when we are OK with changing the behavior.
 func (api *API) templateRBACEnabledMW(next http.Handler) http.Handler {
 	return api.RequireFeatureMW(codersdk.FeatureTemplateRBAC)(next)