fix: adjust build state permission to require template update (#6472)

2023-03-06 22:24:32 -06:00 · 2023-03-06 22:24:32 -06:00 · 74632e460c
parent 29ced72cda
commit 74632e460c
2 changed files with 13 additions and 3 deletions
--- a/coderd/coderdtest/authorize.go
+++ b/coderd/coderdtest/authorize.go
@ -132,8 +132,8 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 			AssertObject: workspaceRBACObj,
 		},
 		"GET:/api/v2/workspacebuilds/{workspacebuild}/state": {
-			AssertAction: rbac.ActionRead,
-			AssertObject: workspaceRBACObj,
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: templateObj,
 		},
 		"GET:/api/v2/workspaceagents/{workspaceagent}": {
 			AssertAction: rbac.ActionRead,
--- a/coderd/workspacebuilds.go
+++ b/coderd/workspacebuilds.go
@ -892,8 +892,18 @@ func (api *API) workspaceBuildState(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	template, err := api.Database.GetTemplateByID(ctx, workspace.TemplateID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to get template",
+			Detail:  err.Error(),
+		})
+		return
+	}

-	if !api.Authorize(r, rbac.ActionRead, workspace) {
+	// You must have update permissions on the template to get the state.
+	// This matches a push!
+	if !api.Authorize(r, rbac.ActionUpdate, template.RBACObject()) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}