coder
diff --git a/‎coderd/database/dump.sql
-1 b/‎coderd/database/dump.sql
-1
diff --git a/‎coderd/database/migrations/000059_app_sharing_level.up.sql
-3 b/‎coderd/database/migrations/000059_app_sharing_level.up.sql
-3
diff --git a/‎coderd/database/models.go
-1 b/‎coderd/database/models.go
-1
diff --git a/‎coderd/database/queries.sql.go
+1-1 b/‎coderd/database/queries.sql.go
+1-1
diff --git a/‎coderd/database/queries/workspaceapps.sql
+1-1 b/‎coderd/database/queries/workspaceapps.sql
+1-1
diff --git a/‎coderd/provisionerdaemons.go
-2 b/‎coderd/provisionerdaemons.go
-2
diff --git a/‎coderd/workspaceapps.go
+4-24 b/‎coderd/workspaceapps.go
+4-24
diff --git a/‎coderd/workspaceapps_test.go
+20-78 b/‎coderd/workspaceapps_test.go
+20-78
diff --git a/‎codersdk/workspaceapps.go
-1 b/‎codersdk/workspaceapps.go
-1
diff --git a/‎enterprise/coderd/workspaceagents_test.go
-6 b/‎enterprise/coderd/workspaceagents_test.go
-6
diff --git a/‎provisioner/terraform/resources.go
-2 b/‎provisioner/terraform/resources.go
-2
@@ -2,9 +2,6 @@
 CREATE TYPE app_sharing_level AS ENUM (
 	-- only the workspace owner can access the app
 	'owner',
-	-- the workspace owner and other users that can read the workspace template
-	-- can access the app
-	'template',
 	-- any authenticated user on the site can access the app
 	'authenticated',
 	-- any user can access the app even if they are not authenticated
 
@@ -21,7 +21,7 @@ INSERT INTO
         command,
         url,
         subdomain,
-		sharing_level,
+        sharing_level,
         healthcheck_url,
         healthcheck_interval,
         healthcheck_threshold,
 
@@ -816,8 +816,6 @@ func insertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 
 			sharingLevel := database.AppSharingLevelOwner
 			switch app.SharingLevel {
-			case sdkproto.AppSharingLevel_TEMPLATE:
-				sharingLevel = database.AppSharingLevelTemplate
 			case sdkproto.AppSharingLevel_AUTHENTICATED:
 				sharingLevel = database.AppSharingLevelAuthenticated
 			case sdkproto.AppSharingLevel_PUBLIC:
 
@@ -310,7 +310,7 @@ func (api *API) authorizeWorkspaceApp(r *http.Request, sharingLevel database.App
 	// other RBAC rules that may be in place.
 	//
 	// Regardless of share level or whether it's enabled or not, the owner of
-	// the workspace can always access applications (as long as their key's
+	// the workspace can always access applications (as long as their API key's
 	// scope allows it).
 	err := api.Authorizer.ByRoleName(ctx, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), []string{}, rbac.ActionCreate, workspace.ApplicationConnectRBAC())
 	if err == nil {
@@ -319,29 +319,9 @@ func (api *API) authorizeWorkspaceApp(r *http.Request, sharingLevel database.App
 
 	switch sharingLevel {
 	case database.AppSharingLevelOwner:
-		// We essentially already did this above.
-	case database.AppSharingLevelTemplate:
-		// Check if the user has access to the same template as the workspace.
-		template, err := api.Database.GetTemplateByID(ctx, workspace.TemplateID)
-		if err != nil {
-			return false, xerrors.Errorf("get template %q: %w", workspace.TemplateID, err)
-		}
-
-		// We have to perform this check without scopes enabled because
-		// otherwise this check will always fail on a scoped API key.
-		err = api.Authorizer.ByRoleName(ctx, roles.ID.String(), roles.Roles, rbac.ScopeAll, []string{}, rbac.ActionRead, template.RBACObject())
-		if err != nil {
-			// Exit early if the user doesn't have access to the template.
-			return false, nil
-		}
-
-		// Now check if the user has ApplicationConnect access to their own
-		// workspaces.
-		object := rbac.ResourceWorkspaceApplicationConnect.WithOwner(roles.ID.String())
-		err = api.Authorizer.ByRoleName(ctx, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), []string{}, rbac.ActionCreate, object)
-		if err == nil {
-			return true, nil
-		}
+		// We essentially already did this above with the regular RBAC check.
+		// Owners can always access their own apps according to RBAC rules, so
+		// they have already been returned from this function.
 	case database.AppSharingLevelAuthenticated:
 		// The user is authenticated at this point, but we need to make sure
 		// that they have ApplicationConnect permissions to their own
 
@@ -32,7 +32,6 @@ const (
 	proxyTestAgentName            = "agent-name"
 	proxyTestAppNameFake          = "test-app-fake"
 	proxyTestAppNameOwner         = "test-app-owner"
-	proxyTestAppNameTemplate      = "test-app-template"
 	proxyTestAppNameAuthenticated = "test-app-authenticated"
 	proxyTestAppNamePublic        = "test-app-public"
 	proxyTestAppQuery             = "query=true"
@@ -134,11 +133,6 @@ func setupProxyTest(t *testing.T, workspaceMutators ...func(*codersdk.CreateWork
 									SharingLevel: proto.AppSharingLevel_OWNER,
 									Url:          appURL,
 								},
-								{
-									Name:         proxyTestAppNameTemplate,
-									SharingLevel: proto.AppSharingLevel_TEMPLATE,
-									Url:          appURL,
-								},
 								{
 									Name:         proxyTestAppNameAuthenticated,
 									SharingLevel: proto.AppSharingLevel_AUTHENTICATED,
@@ -736,11 +730,11 @@ func TestWorkspaceAppsProxySubdomain(t *testing.T) {
 func TestAppSharing(t *testing.T) {
 	t.Parallel()
 
-	setup := func(t *testing.T) (workspace codersdk.Workspace, agnt codersdk.WorkspaceAgent, user codersdk.User, client *codersdk.Client, clientWithTemplateAccess *codersdk.Client, clientWithNoTemplateAccess *codersdk.Client, clientWithNoAuth *codersdk.Client) {
+	setup := func(t *testing.T) (workspace codersdk.Workspace, agnt codersdk.WorkspaceAgent, user codersdk.User, client *codersdk.Client, clientInOtherOrg *codersdk.Client, clientWithNoAuth *codersdk.Client) {
 		//nolint:gosec
 		const password = "password"
 
-		client, firstUser, workspace, _ := setupProxyTest(t)
+		client, _, workspace, _ = setupProxyTest(t)
 
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		t.Cleanup(cancel)
@@ -756,7 +750,6 @@ func TestAppSharing(t *testing.T) {
 		expected := map[string]codersdk.WorkspaceAppSharingLevel{
 			proxyTestAppNameFake:          codersdk.WorkspaceAppSharingLevelOwner,
 			proxyTestAppNameOwner:         codersdk.WorkspaceAppSharingLevelOwner,
-			proxyTestAppNameTemplate:      codersdk.WorkspaceAppSharingLevelTemplate,
 			proxyTestAppNameAuthenticated: codersdk.WorkspaceAppSharingLevelAuthenticated,
 			proxyTestAppNamePublic:        codersdk.WorkspaceAppSharingLevelPublic,
 		}
@@ -765,66 +758,37 @@ func TestAppSharing(t *testing.T) {
 		}
 		require.Equal(t, expected, found, "apps have incorrect sharing levels")
 
-		// Create a user in the same org (should be able to read the template).
-		userWithTemplateAccess, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
-			Email:          "[email protected]",
-			Username:       "template-access",
-			Password:       password,
-			OrganizationID: firstUser.OrganizationID,
-		})
-		require.NoError(t, err)
-
-		clientWithTemplateAccess = codersdk.New(client.URL)
-		loginRes, err := clientWithTemplateAccess.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
-			Email:    userWithTemplateAccess.Email,
-			Password: password,
-		})
-		require.NoError(t, err)
-		clientWithTemplateAccess.SessionToken = loginRes.SessionToken
-		clientWithTemplateAccess.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
-			return http.ErrUseLastResponse
-		}
-
-		// Double check that the user can read the template.
-		_, err = clientWithTemplateAccess.Template(ctx, workspace.TemplateID)
-		require.NoError(t, err)
-
-		// Create a user in a different org (should not be able to read the
-		// template).
-		differentOrg, err := client.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
+		// Create a user in a different org.
+		otherOrg, err := client.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
 			Name: "a-different-org",
 		})
 		require.NoError(t, err)
-		userWithNoTemplateAccess, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
+		userInOtherOrg, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
 			Email:          "[email protected]",
 			Username:       "no-template-access",
 			Password:       password,
-			OrganizationID: differentOrg.ID,
+			OrganizationID: otherOrg.ID,
 		})
 		require.NoError(t, err)
 
-		clientWithNoTemplateAccess = codersdk.New(client.URL)
-		loginRes, err = clientWithNoTemplateAccess.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
-			Email:    userWithNoTemplateAccess.Email,
+		clientInOtherOrg = codersdk.New(client.URL)
+		loginRes, err := clientInOtherOrg.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
+			Email:    userInOtherOrg.Email,
 			Password: password,
 		})
 		require.NoError(t, err)
-		clientWithNoTemplateAccess.SessionToken = loginRes.SessionToken
-		clientWithNoTemplateAccess.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+		clientInOtherOrg.SessionToken = loginRes.SessionToken
+		clientInOtherOrg.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		}
 
-		// Double check that the user cannot read the template.
-		_, err = clientWithNoTemplateAccess.Template(ctx, workspace.TemplateID)
-		require.Error(t, err)
-
 		// Create an unauthenticated codersdk client.
 		clientWithNoAuth = codersdk.New(client.URL)
 		clientWithNoAuth.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		}
 
-		return workspace, agnt, user, client, clientWithTemplateAccess, clientWithNoTemplateAccess, clientWithNoAuth
+		return workspace, agnt, user, client, clientInOtherOrg, clientWithNoAuth
 	}
 
 	verifyAccess := func(t *testing.T, username, workspaceName, agentName, appName string, client *codersdk.Client, shouldHaveAccess, shouldRedirectToLogin bool) {
@@ -884,50 +848,30 @@ func TestAppSharing(t *testing.T) {
 	t.Run("Level", func(t *testing.T) {
 		t.Parallel()
 
-		workspace, agent, user, client, clientWithTemplateAccess, clientWithNoTemplateAccess, clientWithNoAuth := setup(t)
+		workspace, agent, user, client, clientInOtherOrg, clientWithNoAuth := setup(t)
 
 		t.Run("Owner", func(t *testing.T) {
 			t.Parallel()
 
 			// Owner should be able to access their own workspace.
 			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, client, true, false)
 
-			// User with or without template access should not have access to a
-			// workspace that they do not own.
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, clientWithTemplateAccess, false, false)
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, clientWithNoTemplateAccess, false, false)
+			// Authenticated users should not have access to a workspace that
+			// they do not own.
+			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, clientInOtherOrg, false, false)
 
 			// Unauthenticated user should not have any access.
 			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, clientWithNoAuth, false, true)
 		})
 
-		t.Run("Template", func(t *testing.T) {
-			t.Parallel()
-
-			// Owner should be able to access their own workspace.
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameTemplate, client, true, false)
-
-			// User with template access should be able to access the workspace.
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameTemplate, clientWithTemplateAccess, true, false)
-
-			// User without template access should not have access to a workspace
-			// that they do not own.
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameTemplate, clientWithNoTemplateAccess, false, false)
-
-			// Unauthenticated user should not have any access.
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameTemplate, clientWithNoAuth, false, true)
-		})
-
 		t.Run("Authenticated", func(t *testing.T) {
 			t.Parallel()
 
 			// Owner should be able to access their own workspace.
 			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, client, true, false)
 
-			// User with or without template access should be able to access the
-			// workspace.
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, clientWithTemplateAccess, true, false)
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, clientWithNoTemplateAccess, true, false)
+			// Authenticated users should be able to access the workspace.
+			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, clientInOtherOrg, true, false)
 
 			// Unauthenticated user should not have any access.
 			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, clientWithNoAuth, false, true)
@@ -939,10 +883,8 @@ func TestAppSharing(t *testing.T) {
 			// Owner should be able to access their own workspace.
 			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, client, true, false)
 
-			// User with or without template access should be able to access the
-			// workspace.
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, clientWithTemplateAccess, true, false)
-			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, clientWithNoTemplateAccess, true, false)
+			// Authenticated users should be able to access the workspace.
+			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, clientInOtherOrg, true, false)
 
 			// Unauthenticated user should be able to access the workspace.
 			verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, clientWithNoAuth, true, false)
 
@@ -17,7 +17,6 @@ type WorkspaceAppSharingLevel string
 
 const (
 	WorkspaceAppSharingLevelOwner         WorkspaceAppSharingLevel = "owner"
-	WorkspaceAppSharingLevelTemplate      WorkspaceAppSharingLevel = "template"
 	WorkspaceAppSharingLevelAuthenticated WorkspaceAppSharingLevel = "authenticated"
 	WorkspaceAppSharingLevelPublic        WorkspaceAppSharingLevel = "public"
 )
 
@@ -23,7 +23,6 @@ import (
 // App names for each app sharing level.
 const (
 	testAppNameOwner         = "test-app-owner"
-	testAppNameTemplate      = "test-app-template"
 	testAppNameAuthenticated = "test-app-authenticated"
 	testAppNamePublic        = "test-app-public"
 )
@@ -88,11 +87,6 @@ func setupWorkspaceAgent(t *testing.T, client *codersdk.Client, user codersdk.Cr
 									SharingLevel: proto.AppSharingLevel_OWNER,
 									Url:          fmt.Sprintf("http://localhost:%d", appPort),
 								},
-								{
-									Name:         testAppNameTemplate,
-									SharingLevel: proto.AppSharingLevel_TEMPLATE,
-									Url:          fmt.Sprintf("http://localhost:%d", appPort),
-								},
 								{
 									Name:         testAppNameAuthenticated,
 									SharingLevel: proto.AppSharingLevel_AUTHENTICATED,
 
@@ -240,8 +240,6 @@ func ConvertResources(module *tfjson.StateModule, rawGraph string) ([]*proto.Res
 		switch strings.ToLower(attrs.Share) {
 		case "owner":
 			sharingLevel = proto.AppSharingLevel_OWNER
-		case "template":
-			sharingLevel = proto.AppSharingLevel_TEMPLATE
 		case "authenticated":
 			sharingLevel = proto.AppSharingLevel_AUTHENTICATED
 		case "public":
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,6 @@ type WorkspaceAppSharingLevel string`
`17`	`17`
`18`	`18`	`const (`
`19`	`19`	`WorkspaceAppSharingLevelOwner WorkspaceAppSharingLevel = "owner"`
`20`		`- WorkspaceAppSharingLevelTemplate WorkspaceAppSharingLevel = "template"`
`21`	`20`	`WorkspaceAppSharingLevelAuthenticated WorkspaceAppSharingLevel = "authenticated"`
`22`	`21`	`WorkspaceAppSharingLevelPublic WorkspaceAppSharingLevel = "public"`
`23`	`22`	`)`