fix: show selected owner's external auth when creating a workspace#26653
Open
aslilac wants to merge 1 commit into
Open
fix: show selected owner's external auth when creating a workspace#26653aslilac wants to merge 1 commit into
aslilac wants to merge 1 commit into
Conversation
When an admin created a workspace for another user, the external authentication section reflected the admin's own auth state instead of the selected owner's, because the endpoint and form keyed external auth by template version only. The external-auth endpoint now accepts an optional user_id. When it differs from the requester, it authorizes create-workspace-for-owner, reads the owner's link status under an elevated read-only context, and omits the authenticate URL. The create form threads the selected owner through the query and shows a read-only status for other users instead of a login button that would authenticate the admin.
Docs preview📖 View docs preview for |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When an admin creates a workspace for another user, the External Authentication section now reflects the selected owner's auth state instead of the admin's.
Previously the form always reported the requesting admin's external auth, so an admin connected to a provider saw "Authenticated" and could submit even when the target owner had never connected it.
Behavior
Implementation details & decisions
Root cause. External auth was keyed by template version only. The backend endpoint looked up links using the requester's ID, and the form never passed the selected owner.
Backend.
GET /templateversions/{ver}/external-authaccepts an optionaluser_id. When it differs from the requester, the requester is authorized forcreate workspace as that owner(mirroring workspace creation). The owner's link status is then read under an elevated read-only context, so admins who can create for others but lack personal read access (e.g. org admins) still work. The build path already resolves external auth per owner, so this only corrects the form.Decisions / tradeoffs.
authenticate_urlis omitted for non-self responses so the UI cannot offer a login action that would authenticate the wrong account.Tests. Backend: an org admin (create-for-owner, no personal read) sees the owner's state; a plain member is forbidden. Frontend: Storybook play tests cover the read-only status and the "another user" form state.
Generated by Coder Agents on behalf of @aslilac.