feat: add user:read scope (#23348)

Enables [23270](https://github.com/coder/coder/discussions/23270). Makes it possible for admin users to create API tokens scoped for reading users' data.
2026-03-22 10:06:03 -04:00
parent a08b6848f2
commit b763b72b53
3 changed files with 4 additions and 1 deletions
@@ -40,7 +40,8 @@ var externalLowLevel = map[ScopeName]struct{}{
 	"file:create": {},
 	"file:*":      {},

-	// Users (personal profile only)
+	// Users
+	"user:read":            {},
 	"user:read_personal":   {},
 	"user:update_personal": {},
 	"user.*":               {},
@@ -62,6 +62,7 @@ func TestIsExternalScope(t *testing.T) {
 	require.True(t, IsExternalScope("template:use"))
 	require.True(t, IsExternalScope("workspace:*"))
 	require.True(t, IsExternalScope("coder:workspaces.create"))
+	require.True(t, IsExternalScope("user:read"))
 	require.False(t, IsExternalScope("debug_info:read")) // internal-only
 	require.False(t, IsExternalScope("unknown:read"))
 }
@@ -247,6 +247,7 @@ var PublicAPIKeyScopes = []APIKeyScope{
 	APIKeyScopeTemplateRead,
 	APIKeyScopeTemplateUpdate,
 	APIKeyScopeTemplateUse,
+	APIKeyScopeUserRead,
 	APIKeyScopeUserReadPersonal,
 	APIKeyScopeUserUpdatePersonal,
 	APIKeyScopeUserSecretAll,