coder · aslilac · Jun 16, 2025 · Jun 10, 2025 · Jun 10, 2025 · Jun 10, 2025
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -101,4 +101,7 @@ Read [cursor rules](.cursorrules).
 
 ## Frontend
 
+The frontend is contained in the site folder.
+
+For building Frontend refer to [this document](docs/contributing/frontend.md)
 For building Frontend refer to [this document](docs/about/contributing/frontend.md)
@@ -24,6 +24,7 @@ message WorkspaceApp {
 		OWNER = 1;
 		AUTHENTICATED = 2;
 		PUBLIC = 3;
+		ORGANIZATION = 4;
 	}
 	SharingLevel sharing_level = 10;
 

diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000334_add_organization_port_sharing_level.down.sql b/coderd/database/migrations/000334_add_organization_port_sharing_level.down.sql
@@ -0,0 +1,92 @@
+
+-- Drop the view that depends on the templates table
+DROP VIEW template_with_names;
+
+-- Remove 'organization' from the app_sharing_level enum
+CREATE TYPE new_app_sharing_level AS ENUM (
+	'owner',
+	'authenticated',
+	'public'
+);
+
+-- Update workspace_agent_port_share table to use old enum
+-- Convert any 'organization' values to 'authenticated' during downgrade
+ALTER TABLE workspace_agent_port_share
+	ALTER COLUMN share_level TYPE new_app_sharing_level USING (
+		CASE
+			WHEN share_level = 'organization' THEN 'authenticated'::new_app_sharing_level
+			ELSE share_level::text::new_app_sharing_level
+		END
+	);
+
+-- Update workspace_apps table to use old enum
+-- Convert any 'organization' values to 'authenticated' during downgrade
+ALTER TABLE workspace_apps
+	ALTER COLUMN sharing_level DROP DEFAULT,
+	ALTER COLUMN sharing_level TYPE new_app_sharing_level USING (
+		CASE
+			WHEN sharing_level = 'organization' THEN 'authenticated'::new_app_sharing_level
+			ELSE sharing_level::text::new_app_sharing_level
+		END
+	),
+	ALTER COLUMN sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Update templates table to use old enum
+-- Convert any 'organization' values to 'authenticated' during downgrade
+ALTER TABLE templates
+	ALTER COLUMN max_port_sharing_level DROP DEFAULT,
+	ALTER COLUMN max_port_sharing_level TYPE new_app_sharing_level USING (
+		CASE
+			WHEN max_port_sharing_level = 'organization' THEN 'owner'::new_app_sharing_level
+			ELSE max_port_sharing_level::text::new_app_sharing_level
+		END
+	),
+	ALTER COLUMN max_port_sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Drop old enum and rename new one
+DROP TYPE app_sharing_level;
+ALTER TYPE new_app_sharing_level RENAME TO app_sharing_level;
+
+-- Recreate the template_with_names view
+
+CREATE VIEW template_with_names AS
+	SELECT templates.id,
+		templates.created_at,
+		templates.updated_at,
+		templates.organization_id,
+		templates.deleted,
+		templates.name,
+		templates.provisioner,
+		templates.active_version_id,
+		templates.description,
+		templates.default_ttl,
+		templates.created_by,
+		templates.icon,
+		templates.user_acl,
+		templates.group_acl,
+		templates.display_name,
+		templates.allow_user_cancel_workspace_jobs,
+		templates.allow_user_autostart,
+		templates.allow_user_autostop,
+		templates.failure_ttl,
+		templates.time_til_dormant,
+		templates.time_til_dormant_autodelete,
+		templates.autostop_requirement_days_of_week,
+		templates.autostop_requirement_weeks,
+		templates.autostart_block_days_of_week,
+		templates.require_active_version,
+		templates.deprecated,
+		templates.activity_bump,
+		templates.max_port_sharing_level,
+		templates.use_classic_parameter_flow,
+		COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
+		COALESCE(visible_users.username, ''::text) AS created_by_username,
+		COALESCE(visible_users.name, ''::text) AS created_by_name,
+		COALESCE(organizations.name, ''::text) AS organization_name,
+		COALESCE(organizations.display_name, ''::text) AS organization_display_name,
+		COALESCE(organizations.icon, ''::text) AS organization_icon
+	FROM ((templates
+	  LEFT JOIN visible_users ON ((templates.created_by = visible_users.id)))
+	  LEFT JOIN organizations ON ((templates.organization_id = organizations.id)));
+
+COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';
diff --git a/coderd/database/migrations/000334_add_organization_port_sharing_level.up.sql b/coderd/database/migrations/000334_add_organization_port_sharing_level.up.sql
@@ -0,0 +1,73 @@
+-- Drop the view that depends on the templates table
+DROP VIEW template_with_names;
+
+-- Add 'organization' to the app_sharing_level enum
+CREATE TYPE new_app_sharing_level AS ENUM (
+	'owner',
+	'authenticated',
+	'organization',
+	'public'
+);
+
+-- Update workspace_agent_port_share table to use new enum
+ALTER TABLE workspace_agent_port_share
+	ALTER COLUMN share_level TYPE new_app_sharing_level USING (share_level::text::new_app_sharing_level);
+
+-- Update workspace_apps table to use new enum
+ALTER TABLE workspace_apps
+	ALTER COLUMN sharing_level DROP DEFAULT,
+	ALTER COLUMN sharing_level TYPE new_app_sharing_level USING (sharing_level::text::new_app_sharing_level),
+	ALTER COLUMN sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Update templates table to use new enum
+ALTER TABLE templates
+	ALTER COLUMN max_port_sharing_level DROP DEFAULT,
+	ALTER COLUMN max_port_sharing_level TYPE new_app_sharing_level USING (max_port_sharing_level::text::new_app_sharing_level),
+	ALTER COLUMN max_port_sharing_level SET DEFAULT 'owner'::new_app_sharing_level;
+
+-- Drop old enum and rename new one
+DROP TYPE app_sharing_level;
+ALTER TYPE new_app_sharing_level RENAME TO app_sharing_level;
+
+-- Recreate the template_with_names view
+CREATE VIEW template_with_names AS
+	SELECT templates.id,
+		templates.created_at,
+		templates.updated_at,
+		templates.organization_id,
+		templates.deleted,
+		templates.name,
+		templates.provisioner,
+		templates.active_version_id,
+		templates.description,
+		templates.default_ttl,
+		templates.created_by,
+		templates.icon,
+		templates.user_acl,
+		templates.group_acl,
+		templates.display_name,
+		templates.allow_user_cancel_workspace_jobs,
+		templates.allow_user_autostart,
+		templates.allow_user_autostop,
+		templates.failure_ttl,
+		templates.time_til_dormant,
+		templates.time_til_dormant_autodelete,
+		templates.autostop_requirement_days_of_week,
+		templates.autostop_requirement_weeks,
+		templates.autostart_block_days_of_week,
+		templates.require_active_version,
+		templates.deprecated,
+		templates.activity_bump,
+		templates.max_port_sharing_level,
+		templates.use_classic_parameter_flow,
+		COALESCE(visible_users.avatar_url, ''::text) AS created_by_avatar_url,
+		COALESCE(visible_users.username, ''::text) AS created_by_username,
+		COALESCE(visible_users.name, ''::text) AS created_by_name,
+		COALESCE(organizations.name, ''::text) AS organization_name,
+		COALESCE(organizations.display_name, ''::text) AS organization_display_name,
+		COALESCE(organizations.icon, ''::text) AS organization_icon
+	FROM ((templates
+	  LEFT JOIN visible_users ON ((templates.created_by = visible_users.id)))
+	  LEFT JOIN organizations ON ((templates.organization_id = organizations.id)));
+
+COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/workspaceapps/db.go b/coderd/workspaceapps/db.go
@@ -258,7 +258,7 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
 	return &token, tokenStr, true
 }
 
-// authorizeRequest returns true/false if the request is authorized. The returned []string
+// authorizeRequest returns true if the request is authorized. The returned []string
 // are warnings that aid in debugging. These messages do not prevent authorization,
 // but may indicate that the request is not configured correctly.
 // If an error is returned, the request should be aborted with a 500 error.
@@ -310,7 +310,7 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
 		// This is not ideal to check for the 'owner' role, but we are only checking
 		// to determine whether to show a warning for debugging reasons. This does
 		// not do any authz checks, so it is ok.
-		if roles != nil && slices.Contains(roles.Roles.Names(), rbac.RoleOwner()) {
+		if slices.Contains(roles.Roles.Names(), rbac.RoleOwner()) {
 			warnings = append(warnings, "path-based apps with \"owner\" share level are only accessible by the workspace owner (see --dangerous-allow-path-app-site-owner-access)")
 		}
 		return false, warnings, nil
@@ -354,6 +354,27 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
 		if err == nil {
 			return true, []string{}, nil
 		}
+	case database.AppSharingLevelOrganization:
+		// Check if the user is a member of the same organization as the workspace
+		// First check if they have permission to connect to their own workspace (enforces scopes)
+		err := p.Authorizer.Authorize(ctx, *roles, rbacAction, rbacResourceOwned)
+		if err != nil {
+			return false, warnings, nil
+		}
+
+		// Check if the user is a member of the workspace's organization
+		workspaceOrgID := dbReq.Workspace.OrganizationID
+		expandedRoles, err := roles.Roles.Expand()
+		if err != nil {
+			return false, warnings, xerrors.Errorf("expand roles: %w", err)
+		}
+		for _, role := range expandedRoles {
+			if _, ok := role.Org[workspaceOrgID.String()]; ok {
+				return true, []string{}, nil
+			}
+		}
+		// User is not a member of the workspace's organization
+		return false, warnings, nil
 	case database.AppSharingLevelPublic:
 		// We don't really care about scopes and stuff if it's public anyways.
 		// Someone with a restricted-scope API key could just not submit the API