fix: allow users with workspace:create for any owner to list users by f0ssel · Pull Request #21947 · coder/coder
Custom roles that can create workspaces on behalf of other users need to
be able to list users to populate the owner dropdown in the workspace
creation UI.
This adds a new endpoint:
GET /organizations/{organization}/members/{user}/workspaces/available-users
The endpoint:
- Checks if the user can create workspaces for any owner in the org
- Returns all users (using system context, like templateAvailablePermissions)
- Returns minimal user data (id, username, name, avatar_url)
Also adds SDK method and tests.
Fixes #18203
f0ssel
marked this pull request as ready for review
Switch the Create Workspace page to use the new scoped
GET /organizations/{org}/members/me/workspaces/available-users
endpoint instead of the global GET /api/v2/users endpoint.
This adds:
- getWorkspaceAvailableUsers API client method
- workspaceAvailableUsers React Query wrapper
- WorkspaceUserAutocomplete component using MinimalUser type
- Updated CreateWorkspacePage owner state to use MinimalUser
The new endpoint only returns users the caller can create workspaces
for, providing a lower-privilege alternative to the global users list.
- Add CreateWorkspaceForMembers RBAC test case to roles_test.go verifying only owner and orgAdmin can create workspaces for any owner - Change OwnerCanListUsers test to OrgAdminCanListUsers, using an org admin client instead of owner (owners can do everything anyway) - Remove unnecessary IncludeProvisionerDaemon from both test sub-tests
f0ssel
deleted the
provisioner-d4k0
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters