coder
diff --git a/‎coderd/aitasks.go
Lines changed: 22 additions & 8 deletions b/‎coderd/aitasks.go
Lines changed: 22 additions & 8 deletions
diff --git a/‎coderd/aitasks_test.go
Lines changed: 74 additions & 0 deletions b/‎coderd/aitasks_test.go
Lines changed: 74 additions & 0 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 10 additions & 2 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 10 additions & 2 deletions
diff --git a/‎coderd/database/modelqueries.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/modelqueries.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 36 additions & 14 deletions b/‎coderd/database/queries.sql.go
Lines changed: 36 additions & 14 deletions
diff --git a/‎coderd/database/queries/templates.sql
Lines changed: 18 additions & 0 deletions b/‎coderd/database/queries/templates.sql
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/rbac/authz_internal_test.go
Lines changed: 51 additions & 0 deletions b/‎coderd/rbac/authz_internal_test.go
Lines changed: 51 additions & 0 deletions
diff --git a/‎coderd/rbac/policy.rego
Lines changed: 9 additions & 2 deletions b/‎coderd/rbac/policy.rego
Lines changed: 9 additions & 2 deletions
@@ -113,15 +113,29 @@ func (api *API) tasksCreate(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	taskName := taskname.GenerateFallback()
-	if anthropicAPIKey := taskname.GetAnthropicAPIKeyFromEnv(); anthropicAPIKey != "" {
-		anthropicModel := taskname.GetAnthropicModelFromEnv()
+	taskName := req.Name
+	if taskName != "" {
+		if err := codersdk.NameValid(taskName); err != nil {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message: "Unable to create a Task with the provided name.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+	}
 
-		generatedName, err := taskname.Generate(ctx, req.Prompt, taskname.WithAPIKey(anthropicAPIKey), taskname.WithModel(anthropicModel))
-		if err != nil {
-			api.Logger.Error(ctx, "unable to generate task name", slog.Error(err))
-		} else {
-			taskName = generatedName
+	if taskName == "" {
+		taskName = taskname.GenerateFallback()
+
+		if anthropicAPIKey := taskname.GetAnthropicAPIKeyFromEnv(); anthropicAPIKey != "" {
+			anthropicModel := taskname.GetAnthropicModelFromEnv()
+
+			generatedName, err := taskname.Generate(ctx, req.Prompt, taskname.WithAPIKey(anthropicAPIKey), taskname.WithModel(anthropicModel))
+			if err != nil {
+				api.Logger.Error(ctx, "unable to generate task name", slog.Error(err))
+			} else {
+				taskName = generatedName
+			}
 		}
 	}
 
 
@@ -441,6 +441,80 @@ func TestTasksCreate(t *testing.T) {
 		assert.Equal(t, taskPrompt, parameters[0].Value)
 	})
 
+	t.Run("CustomNames", func(t *testing.T) {
+		t.Parallel()
+
+		tests := []struct {
+			name               string
+			taskName           string
+			expectFallbackName bool
+			expectError        string
+		}{
+			{
+				name:     "ValidName",
+				taskName: "a-valid-task-name",
+			},
+			{
+				name:        "NotValidName",
+				taskName:    "this is not a valid task name",
+				expectError: "Unable to create a Task with the provided name.",
+			},
+			{
+				name:               "NoNameProvided",
+				taskName:           "",
+				expectFallbackName: true,
+			},
+		}
+
+		for _, tt := range tests {
+			t.Run(tt.name, func(t *testing.T) {
+				t.Parallel()
+
+				var (
+					ctx       = testutil.Context(t, testutil.WaitShort)
+					client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+					expClient = codersdk.NewExperimentalClient(client)
+					user      = coderdtest.CreateFirstUser(t, client)
+					version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+						Parse:          echo.ParseComplete,
+						ProvisionApply: echo.ApplyComplete,
+						ProvisionPlan: []*proto.Response{
+							{Type: &proto.Response_Plan{Plan: &proto.PlanComplete{
+								Parameters: []*proto.RichParameter{{Name: "AI Prompt", Type: "string"}},
+								HasAiTasks: true,
+							}}},
+						},
+					})
+					template = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+				)
+
+				coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+
+				// When: We attempt to create a Task.
+				task, err := expClient.CreateTask(ctx, "me", codersdk.CreateTaskRequest{
+					TemplateVersionID: template.ActiveVersionID,
+					Prompt:            "Some prompt",
+					Name:              tt.taskName,
+				})
+				if tt.expectError == "" {
+					require.NoError(t, err)
+					require.True(t, task.WorkspaceID.Valid)
+
+					// Then: We expect the correct name to have been picked.
+					err = codersdk.NameValid(task.Name)
+					require.NoError(t, err, "Generated task name should be valid")
+
+					require.NotEmpty(t, task.Name)
+					if !tt.expectFallbackName {
+						require.Equal(t, tt.taskName, task.Name)
+					}
+				} else {
+					require.ErrorContains(t, err, tt.expectError)
+				}
+			})
+		}
+	})
+
 	t.Run("FailsOnNonTaskTemplate", func(t *testing.T) {
 		t.Parallel()
 
 
@@ -1097,9 +1097,17 @@ func AwaitWorkspaceBuildJobCompleted(t testing.TB, client *codersdk.Client, buil
 	require.Eventually(t, func() bool {
 		var err error
 		workspaceBuild, err = client.WorkspaceBuild(ctx, build)
-		return assert.NoError(t, err) && workspaceBuild.Job.CompletedAt != nil
+		if err != nil {
+			t.Logf("failed to get workspace build %s: %v", build, err)
+			return false
+		}
+		if workspaceBuild.Job.CompletedAt == nil {
+			t.Logf("workspace build job %s still running (status: %s)", build, workspaceBuild.Job.Status)
+			return false
+		}
+		return true
 	}, testutil.WaitMedium, testutil.IntervalMedium)
-	t.Logf("got workspace build job %s", build)
+	t.Logf("got workspace build job %s (status: %s)", build, workspaceBuild.Job.Status)
 	return workspaceBuild
 }
 
 
@@ -78,7 +78,9 @@ func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplate
 		arg.Deleted,
 		arg.OrganizationID,
 		arg.ExactName,
+		arg.ExactDisplayName,
 		arg.FuzzyName,
+		arg.FuzzyDisplayName,
 		pq.Array(arg.IDs),
 		arg.Deprecated,
 		arg.HasAITask,
 
@@ -30,12 +30,30 @@ WHERE
 			LOWER(t.name) = LOWER(@exact_name)
 		ELSE true
 	END
+	-- Filter by exact display name
+	AND CASE
+		WHEN @exact_display_name :: text != '' THEN
+			LOWER(t.display_name) = LOWER(@exact_display_name)
+		ELSE true
+	END
 	-- Filter by name, matching on substring
 	AND CASE
 		WHEN @fuzzy_name :: text != '' THEN
 			lower(t.name) ILIKE '%' || lower(@fuzzy_name) || '%'
 		ELSE true
 	END
+	-- Filter by display_name, matching on substring (fallback to name if display_name is empty)
+	AND CASE
+		WHEN @fuzzy_display_name :: text != '' THEN
+			CASE
+				WHEN t.display_name IS NOT NULL AND t.display_name != '' THEN
+					lower(t.display_name) ILIKE '%' || lower(@fuzzy_display_name) || '%'
+				ELSE
+					-- Remove spaces if present since 't.name' cannot have any spaces
+					lower(t.name) ILIKE '%' || REPLACE(lower(@fuzzy_display_name), ' ', '') || '%'
+			END
+		ELSE true
+	END
 	-- Filter by ids
 	AND CASE
 		WHEN array_length(@ids :: uuid[], 1) > 0 THEN
 
@@ -1110,6 +1110,57 @@ func TestAuthorizeScope(t *testing.T) {
 			{resource: ResourceOrganization.WithID(defOrg)},
 		}),
 	)
+
+	// Test setting a scope on the org and the user level
+	// This is a bit of a contrived example that would not exist in practice.
+	// It combines a specific organization scope with a user scope to verify
+	// that both are applied.
+	// The test uses the `Owner` role, so by default the user can do everything.
+	user = Subject{
+		ID: "me",
+		Roles: Roles{
+			must(RoleByName(RoleOwner())),
+			// TODO: There is a __bug__ in the policy.rego. If the user is not a
+			//  member of the organization, the org_scope fails. This happens because
+			//  the org_allow_set uses "org_members".
+			//  This is odd behavior, as without this membership role, the test for
+			//  the workspace fails. Maybe scopes should just assume the user
+			//  is a member.
+			must(RoleByName(ScopedRoleOrgMember(defOrg))),
+		},
+		Scope: Scope{
+			Role: Role{
+				Identifier: RoleIdentifier{
+					Name:           "org-and-user-scope",
+					OrganizationID: defOrg,
+				},
+				DisplayName: "OrgAndUserScope",
+				Site:        nil,
+				Org: map[string][]Permission{
+					defOrg.String(): Permissions(map[string][]policy.Action{
+						ResourceWorkspace.Type: {policy.ActionRead},
+					}),
+				},
+				User: Permissions(map[string][]policy.Action{
+					ResourceUser.Type: {policy.ActionRead},
+				}),
+			},
+			AllowIDList: []string{policy.WildcardSymbol},
+		},
+	}
+
+	testAuthorize(t, "OrgAndUserScope", user,
+		// Allowed by scope:
+		[]authTestCase{
+			{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), allow: true, actions: []policy.Action{policy.ActionRead}},
+			{resource: ResourceUser.WithOwner(user.ID), allow: true, actions: []policy.Action{policy.ActionRead}},
+		},
+		// Not allowed by scope:
+		[]authTestCase{
+			{resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID), allow: false, actions: []policy.Action{policy.ActionCreate}},
+			{resource: ResourceUser.WithOwner(user.ID), allow: false, actions: []policy.Action{policy.ActionUpdate}},
+		},
+	)
 }
 
 // cases applies a given function to all test cases. This makes generalities easier to create.
 
@@ -106,6 +106,13 @@ site_allow(roles) := num if {
 # -------------------
 
 # org_members is the list of organizations the actor is apart of.
+# TODO: Should there be an org_members for the scope too? Without it,
+#  the membership is determined by the user's roles, not their scope permissions.
+#  So if an owner (who is not an org member) has an org scope, that org scope
+#  will fail to return '1'. Since we assume all non members return '-1' for org
+#  level permissions.
+#  Adding a second org_members set might affect the partial evaluation.
+#  This is being left until org scopes are used.
 org_members := {orgID |
 	input.subject.roles[_].org[orgID]
 }
@@ -116,7 +123,7 @@ default org := 0
 org := org_allow(input.subject.roles)
 
 default scope_org := 0
-scope_org := org_allow([input.scope])
+scope_org := org_allow([input.subject.scope])
 
 # org_allow_set is a helper function that iterates over all orgs that the actor
 # is a member of. For each organization it sets the numerical allow value
@@ -221,7 +228,7 @@ default user := 0
 user := user_allow(input.subject.roles)
 
 default scope_user := 0
-scope_user := user_allow([input.scope])
+scope_user := user_allow([input.subject.scope])
 
 user_allow(roles) := num if {
 	input.object.owner != ""