Closes#15114

What this does

Joins in fields likeusername,avatar_url,organization_name,template_name toworkspaces via aview.

Views are a nuisance to maintain, however they have become the only clean way to handle RBAC related objects for:

• Groups
• Template Versions
• Templates
• Workspace Builds
• And now workspaces

If this is not done, the backend has to do multiple fetches when trying to retrieve information always displayed like the Owner's username. These fetches have the RBAC issue that they require theREAD permission the related object, whichgets even more complicated with custom roles.

Without these joins, if you giveREAD permission to a workspace in an org, it also requires the permission toREAD the user only to fetch the username & avatar. When using custom roles, these implicit links are confusing to use, and have caused a reported error.

We can further make this better, as some overfetching is still done, but this change is already a lot.

What this costs

We have to maintain yet another view.Insert rant about SQLc supporting client-side views that update with the schema.

RBAC Change

GivingREAD to a workspace now lets you see all these fields without needing perms to the related objects.

-- Ownercoalesce(visible_users.avatar_url,'')AS owner_avatar_url,coalesce(visible_users.username,'')AS owner_username,-- Organizationcoalesce(organizations.name,'')AS organization_name,coalesce(organizations.display_name,'')AS organization_display_name,coalesce(organizations.icon,'')AS organization_icon,coalesce(organizations.description,'')AS organization_description,-- Templatecoalesce(templates.name,'')AS template_name,coalesce(templates.display_name,'')AS template_display_name,coalesce(templates.icon,'')AS template_icon,coalesce(templates.description,'')AS template_description

Guardrails

Converting toWorkspaceTable is guarded to stay in sync with the view. If you update the view, but not the converter function, this test will fail.

And static structs are also guarded. Does the same as above, but ignores the converter function.

We useWorkspaceTable for audit logs, since fields likeUsername are mutable, it would not make sense to include in the audit log with a workspace. It is sourced from the mutable field of Users.