From c6fcc6407ae86ae320a55746deef76ca9a8c330a Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Mon, 3 Mar 2025 23:43:59 +0000
Subject: [PATCH] fix: add org role read permissions to site wide template
 admins and auditors (#16733)

resolves coder/internal#388

Since site-wide admins and auditors are able to access the members page
of any org, they should have read access to org roles
---
 coderd/rbac/roles.go      | 6 ++++--
 coderd/rbac/roles_test.go | 4 ++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
index 7c733016430fe..da9eec2da0ea4 100644
--- a/coderd/rbac/roles.go
+++ b/coderd/rbac/roles.go
@@ -298,7 +298,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Identifier:  RoleAuditor(),
 		DisplayName: "Auditor",
 		Site: Permissions(map[string][]policy.Action{
-			ResourceAuditLog.Type: {policy.ActionRead},
+			ResourceAssignOrgRole.Type: {policy.ActionRead},
+			ResourceAuditLog.Type:      {policy.ActionRead},
 			// Allow auditors to see the resources that audit logs reflect.
 			ResourceTemplate.Type:           {policy.ActionRead, policy.ActionViewInsights},
 			ResourceUser.Type:               {policy.ActionRead},
@@ -318,7 +319,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Identifier:  RoleTemplateAdmin(),
 		DisplayName: "Template Admin",
 		Site: Permissions(map[string][]policy.Action{
-			ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
+			ResourceAssignOrgRole.Type: {policy.ActionRead},
+			ResourceTemplate.Type:      ResourceTemplate.AvailableActions(),
 			// CRUD all files, even those they did not upload.
 			ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
 			ResourceWorkspace.Type: {policy.ActionRead},
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
index b23849229e900..cf4961de07c6f 100644
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@@ -341,8 +341,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceAssignOrgRole.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, setOrgNotMe, orgMemberMe, userAdmin},
-				false: {setOtherOrg, memberMe, templateAdmin},
+				true:  {owner, setOrgNotMe, orgMemberMe, userAdmin, templateAdmin},
+				false: {setOtherOrg, memberMe},
 			},
 		},
 		{