fix: send workspace create/update notifications to template admins only (#16071)

DanielleMaywood · web-flow · commit 3e3de0588acf · 2025-01-15T17:43:11.000Z
Relates to #15845 Rather than sending the notification to the user, we send it to the template admins. We also do not send it to the person that created the request.
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
@@ -446,7 +446,20 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 	// If this workspace build has a different template version ID to the previous build
 	// we can assume it has just been updated.
 	if createBuild.TemplateVersionID != uuid.Nil && createBuild.TemplateVersionID != previousWorkspaceBuild.TemplateVersionID {
-		api.notifyWorkspaceUpdated(ctx, apiKey.UserID, workspace, createBuild.RichParameterValues)
+		// nolint:gocritic // Need system context to fetch admins
+		admins, err := findTemplateAdmins(dbauthz.AsSystemRestricted(ctx), api.Database)
+		if err != nil {
+			api.Logger.Error(ctx, "find template admins", slog.Error(err))
+		} else {
+			for _, admin := range admins {
+				// Don't send notifications to user which initiated the event.
+				if admin.ID == apiKey.UserID {
+					continue
+				}
+
+				api.notifyWorkspaceUpdated(ctx, apiKey.UserID, admin.ID, workspace, createBuild.RichParameterValues)
+			}
+		}
 	}
 
 	api.publishWorkspaceUpdate(ctx, workspace.OwnerID, wspubsub.WorkspaceEvent{
@@ -460,6 +473,7 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 func (api *API) notifyWorkspaceUpdated(
 	ctx context.Context,
 	initiatorID uuid.UUID,
+	receiverID uuid.UUID,
 	workspace database.Workspace,
 	parameters []codersdk.WorkspaceBuildParameter,
 ) {
@@ -500,7 +514,7 @@ func (api *API) notifyWorkspaceUpdated(
 	if _, err := api.NotificationsEnqueuer.EnqueueWithData(
 		// nolint:gocritic // Need notifier actor to enqueue notifications
 		dbauthz.AsNotifier(ctx),
-		workspace.OwnerID,
+		receiverID,
 		notifications.TemplateWorkspaceManuallyUpdated,
 		map[string]string{
 			"organization": template.OrganizationName,
diff --git a/coderd/workspacebuilds_test.go b/coderd/workspacebuilds_test.go
@@ -565,30 +565,31 @@ func TestWorkspaceBuildResources(t *testing.T) {
 func TestWorkspaceBuildWithUpdatedTemplateVersionSendsNotification(t *testing.T) {
 	t.Parallel()
 
-	t.Run("OnlyOneNotification", func(t *testing.T) {
+	t.Run("NoRepeatedNotifications", func(t *testing.T) {
 		t.Parallel()
 
 		notify := &notificationstest.FakeEnqueuer{}
 
 		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, NotificationsEnqueuer: notify})
 		first := coderdtest.CreateFirstUser(t, client)
+		templateAdminClient, templateAdmin := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleTemplateAdmin())
 		userClient, user := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
 
 		// Create a template with an initial version
-		version := coderdtest.CreateTemplateVersion(t, client, first.OrganizationID, nil)
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, first.OrganizationID, version.ID)
+		version := coderdtest.CreateTemplateVersion(t, templateAdminClient, first.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, templateAdminClient, version.ID)
+		template := coderdtest.CreateTemplate(t, templateAdminClient, first.OrganizationID, version.ID)
 
 		// Create a workspace using this template
 		workspace := coderdtest.CreateWorkspace(t, userClient, template.ID)
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, workspace.LatestBuild.ID)
 		coderdtest.MustTransitionWorkspace(t, userClient, workspace.ID, database.WorkspaceTransitionStart, database.WorkspaceTransitionStop)
 
 		// Create a new version of the template
-		newVersion := coderdtest.CreateTemplateVersion(t, client, first.OrganizationID, nil, func(ctvr *codersdk.CreateTemplateVersionRequest) {
+		newVersion := coderdtest.CreateTemplateVersion(t, templateAdminClient, first.OrganizationID, nil, func(ctvr *codersdk.CreateTemplateVersionRequest) {
 			ctvr.TemplateID = template.ID
 		})
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, newVersion.ID)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, templateAdminClient, newVersion.ID)
 
 		// Create a workspace build using this new template version
 		build := coderdtest.CreateWorkspaceBuild(t, userClient, workspace, database.WorkspaceTransitionStart, func(cwbr *codersdk.CreateWorkspaceBuildRequest) {
@@ -597,21 +598,45 @@ func TestWorkspaceBuildWithUpdatedTemplateVersionSendsNotification(t *testing.T)
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, build.ID)
 		coderdtest.MustTransitionWorkspace(t, userClient, workspace.ID, database.WorkspaceTransitionStart, database.WorkspaceTransitionStop)
 
-		// Create the workspace build _again_. We are doing this to ensure we only create 1 notification.
+		// Create the workspace build _again_. We are doing this to
+		// ensure we do not create _another_ notification. This is
+		// separate to the notifications subsystem dedupe mechanism
+		// as this build shouldn't create a notification. It shouldn't
+		// create another notification as this new build isn't changing
+		// the template version.
 		build = coderdtest.CreateWorkspaceBuild(t, userClient, workspace, database.WorkspaceTransitionStart, func(cwbr *codersdk.CreateWorkspaceBuildRequest) {
 			cwbr.TemplateVersionID = newVersion.ID
 		})
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, build.ID)
 		coderdtest.MustTransitionWorkspace(t, userClient, workspace.ID, database.WorkspaceTransitionStart, database.WorkspaceTransitionStop)
 
-		// Ensure we receive only 1 workspace manually updated notification
+		// We're going to have two notifications (one for the first user and one for the template admin)
+		// By ensuring we only have these two, we are sure the second build didn't trigger more
+		// notifications.
 		sent := notify.Sent(notificationstest.WithTemplateID(notifications.TemplateWorkspaceManuallyUpdated))
-		require.Len(t, sent, 1)
-		require.Equal(t, user.ID, sent[0].UserID)
+		require.Len(t, sent, 2)
+
+		receivers := make([]uuid.UUID, len(sent))
+		for idx, notif := range sent {
+			receivers[idx] = notif.UserID
+		}
+
+		// Check the notification was sent to the first user and template admin
+		// (both of whom have the "template admin" role), and explicitly not the
+		// workspace owner (since they initiated the workspace build).
+		require.Contains(t, receivers, templateAdmin.ID)
+		require.Contains(t, receivers, first.UserID)
+		require.NotContains(t, receivers, user.ID)
+
 		require.Contains(t, sent[0].Targets, template.ID)
 		require.Contains(t, sent[0].Targets, workspace.ID)
 		require.Contains(t, sent[0].Targets, workspace.OrganizationID)
 		require.Contains(t, sent[0].Targets, workspace.OwnerID)
+
+		require.Contains(t, sent[1].Targets, template.ID)
+		require.Contains(t, sent[1].Targets, workspace.ID)
+		require.Contains(t, sent[1].Targets, workspace.OrganizationID)
+		require.Contains(t, sent[1].Targets, workspace.OwnerID)
 	})
 
 	t.Run("ToCorrectUser", func(t *testing.T) {
@@ -621,23 +646,24 @@ func TestWorkspaceBuildWithUpdatedTemplateVersionSendsNotification(t *testing.T)
 
 		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, NotificationsEnqueuer: notify})
 		first := coderdtest.CreateFirstUser(t, client)
-		userClient, user := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
+		templateAdminClient, templateAdmin := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleTemplateAdmin())
+		userClient, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
 
 		// Create a template with an initial version
-		version := coderdtest.CreateTemplateVersion(t, client, first.OrganizationID, nil)
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, first.OrganizationID, version.ID)
+		version := coderdtest.CreateTemplateVersion(t, templateAdminClient, first.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, templateAdminClient, version.ID)
+		template := coderdtest.CreateTemplate(t, templateAdminClient, first.OrganizationID, version.ID)
 
 		// Create a workspace using this template
 		workspace := coderdtest.CreateWorkspace(t, userClient, template.ID)
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, userClient, workspace.LatestBuild.ID)
 		coderdtest.MustTransitionWorkspace(t, userClient, workspace.ID, database.WorkspaceTransitionStart, database.WorkspaceTransitionStop)
 
 		// Create a new version of the template
-		newVersion := coderdtest.CreateTemplateVersion(t, client, first.OrganizationID, nil, func(ctvr *codersdk.CreateTemplateVersionRequest) {
+		newVersion := coderdtest.CreateTemplateVersion(t, templateAdminClient, first.OrganizationID, nil, func(ctvr *codersdk.CreateTemplateVersionRequest) {
 			ctvr.TemplateID = template.ID
 		})
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, newVersion.ID)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, templateAdminClient, newVersion.ID)
 
 		// Create a workspace build using this new template version from a different user
 		ctx := testutil.Context(t, testutil.WaitShort)
@@ -652,7 +678,7 @@ func TestWorkspaceBuildWithUpdatedTemplateVersionSendsNotification(t *testing.T)
 		// Ensure we receive only 1 workspace manually updated notification and to the right user
 		sent := notify.Sent(notificationstest.WithTemplateID(notifications.TemplateWorkspaceManuallyUpdated))
 		require.Len(t, sent, 1)
-		require.Equal(t, user.ID, sent[0].UserID)
+		require.Equal(t, templateAdmin.ID, sent[0].UserID)
 		require.Contains(t, sent[0].Targets, template.ID)
 		require.Contains(t, sent[0].Targets, workspace.ID)
 		require.Contains(t, sent[0].Targets, workspace.OrganizationID)
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
@@ -665,9 +665,6 @@ func createWorkspace(
 		)
 		return err
 	}, nil)
-
-	api.notifyWorkspaceCreated(ctx, workspace, req.RichParameterValues)
-
 	var bldErr wsbuilder.BuildError
 	if xerrors.As(err, &bldErr) {
 		httpapi.Write(ctx, rw, bldErr.Status, codersdk.Response{
@@ -689,6 +686,21 @@ func createWorkspace(
 		api.Logger.Error(ctx, "failed to post provisioner job to pubsub", slog.Error(err))
 	}
 
+	// nolint:gocritic // Need system context to fetch admins
+	admins, err := findTemplateAdmins(dbauthz.AsSystemRestricted(ctx), api.Database)
+	if err != nil {
+		api.Logger.Error(ctx, "find template admins", slog.Error(err))
+	} else {
+		for _, admin := range admins {
+			// Don't send notifications to user which initiated the event.
+			if admin.ID == initiatorID {
+				continue
+			}
+
+			api.notifyWorkspaceCreated(ctx, admin.ID, workspace, req.RichParameterValues)
+		}
+	}
+
 	auditReq.New = workspace.WorkspaceTable()
 
 	api.Telemetry.Report(&telemetry.Snapshot{
@@ -739,6 +751,7 @@ func createWorkspace(
 
 func (api *API) notifyWorkspaceCreated(
 	ctx context.Context,
+	receiverID uuid.UUID,
 	workspace database.Workspace,
 	parameters []codersdk.WorkspaceBuildParameter,
 ) {
@@ -773,7 +786,7 @@ func (api *API) notifyWorkspaceCreated(
 	if _, err := api.NotificationsEnqueuer.EnqueueWithData(
 		// nolint:gocritic // Need notifier actor to enqueue notifications
 		dbauthz.AsNotifier(ctx),
-		workspace.OwnerID,
+		receiverID,
 		notifications.TemplateWorkspaceCreated,
 		map[string]string{
 			"workspace": workspace.Name,
diff --git a/coderd/workspaces_test.go b/coderd/workspaces_test.go
@@ -577,22 +577,38 @@ func TestPostWorkspacesByOrganization(t *testing.T) {
 		enqueuer := notificationstest.FakeEnqueuer{}
 		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, NotificationsEnqueuer: &enqueuer})
 		user := coderdtest.CreateFirstUser(t, client)
+		templateAdminClient, templateAdmin := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleTemplateAdmin())
 		memberClient, memberUser := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
 
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		version := coderdtest.CreateTemplateVersion(t, templateAdminClient, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, templateAdminClient, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, templateAdminClient, version.ID)
 
 		workspace := coderdtest.CreateWorkspace(t, memberClient, template.ID)
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, memberClient, workspace.LatestBuild.ID)
 
 		sent := enqueuer.Sent(notificationstest.WithTemplateID(notifications.TemplateWorkspaceCreated))
-		require.Len(t, sent, 1)
-		require.Equal(t, memberUser.ID, sent[0].UserID)
+		require.Len(t, sent, 2)
+
+		receivers := make([]uuid.UUID, len(sent))
+		for idx, notif := range sent {
+			receivers[idx] = notif.UserID
+		}
+
+		// Check the notification was sent to the first user and template admin
+		require.Contains(t, receivers, templateAdmin.ID)
+		require.Contains(t, receivers, user.UserID)
+		require.NotContains(t, receivers, memberUser.ID)
+
 		require.Contains(t, sent[0].Targets, template.ID)
 		require.Contains(t, sent[0].Targets, workspace.ID)
 		require.Contains(t, sent[0].Targets, workspace.OrganizationID)
 		require.Contains(t, sent[0].Targets, workspace.OwnerID)
+
+		require.Contains(t, sent[1].Targets, template.ID)
+		require.Contains(t, sent[1].Targets, workspace.ID)
+		require.Contains(t, sent[1].Targets, workspace.OrganizationID)
+		require.Contains(t, sent[1].Targets, workspace.OwnerID)
 	})
 
 	t.Run("CreateSendsNotificationToCorrectUser", func(t *testing.T) {
@@ -601,14 +617,15 @@ func TestPostWorkspacesByOrganization(t *testing.T) {
 		enqueuer := notificationstest.FakeEnqueuer{}
 		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, NotificationsEnqueuer: &enqueuer})
 		user := coderdtest.CreateFirstUser(t, client)
+		templateAdminClient, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleTemplateAdmin(), rbac.RoleOwner())
 		_, memberUser := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
 
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		version := coderdtest.CreateTemplateVersion(t, templateAdminClient, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, templateAdminClient, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, templateAdminClient, version.ID)
 
 		ctx := testutil.Context(t, testutil.WaitShort)
-		workspace, err := client.CreateUserWorkspace(ctx, memberUser.Username, codersdk.CreateWorkspaceRequest{
+		workspace, err := templateAdminClient.CreateUserWorkspace(ctx, memberUser.Username, codersdk.CreateWorkspaceRequest{
 			TemplateID: template.ID,
 			Name:       coderdtest.RandomUsername(t),
 		})
@@ -617,7 +634,7 @@ func TestPostWorkspacesByOrganization(t *testing.T) {
 
 		sent := enqueuer.Sent(notificationstest.WithTemplateID(notifications.TemplateWorkspaceCreated))
 		require.Len(t, sent, 1)
-		require.Equal(t, memberUser.ID, sent[0].UserID)
+		require.Equal(t, user.UserID, sent[0].UserID)
 		require.Contains(t, sent[0].Targets, template.ID)
 		require.Contains(t, sent[0].Targets, workspace.ID)
 		require.Contains(t, sent[0].Targets, workspace.OrganizationID)
