fix(coderd): handle rbac.NotAuthorizedError when deleting template (#21645)

johnstcn · web-flow · commit fa7baebdd84f · 2026-01-23T12:02:46.000Z
Relates to https://github.com/coder/aibridge/pull/143/changes#r2720659638 We previously had been returning the following when attempting to delete failed due to lack of permissions. ``` 500 Internal error deleting template: unauthorized: rbac: forbidden ``` This PR updates the handler to return our usual 403 forbidden response.
diff --git a/coderd/templates.go b/coderd/templates.go
@@ -101,6 +101,10 @@ func (api *API) deleteTemplate(rw http.ResponseWriter, r *http.Request) {
 		Deleted:   true,
 		UpdatedAt: dbtime.Now(),
 	})
+	if dbauthz.IsNotAuthorizedError(err) {
+		httpapi.Forbidden(rw)
+		return
+	}
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error deleting template.",
diff --git a/coderd/templates_test.go b/coderd/templates_test.go
@@ -17,6 +17,7 @@ import (
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbfake"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
@@ -1753,6 +1754,20 @@ func TestDeleteTemplate(t *testing.T) {
 		require.ErrorAs(t, err, &apiErr)
 		require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
 	})
+
+	t.Run("NoPermission", func(t *testing.T) {
+		t.Parallel()
+		client, db := coderdtest.NewWithDatabase(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, client)
+		memberClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		tpl := dbfake.TemplateVersion(t, db).Seed(database.TemplateVersion{CreatedBy: owner.UserID, OrganizationID: owner.OrganizationID}).Do()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		err := memberClient.DeleteTemplate(ctx, tpl.Template.ID)
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
+	})
 }
 
 func TestTemplateMetrics(t *testing.T) {
