fix: require update permission to recreate devcontainers (#25812) (#2… · coder/coder@cc895f6
@@ -1832,6 +1832,51 @@ func TestWorkspaceAgentRecreateDevcontainer(t *testing.T) {
18321832 })
18331833}
183418341835+func TestWorkspaceAgentRecreateDevcontainerAuthorization(t *testing.T) {
1836+t.Parallel()
1837+1838+for _, tc := range []struct {
1839+name string
1840+role func(uuid.UUID) rbac.RoleIdentifier
1841+ }{
1842+ {
1843+name: "TemplateAdmin",
1844+role: func(uuid.UUID) rbac.RoleIdentifier {
1845+return rbac.RoleTemplateAdmin()
1846+ },
1847+ },
1848+ {
1849+name: "OrgTemplateAdmin",
1850+role: rbac.ScopedRoleOrgTemplateAdmin,
1851+ },
1852+ } {
1853+t.Run(tc.name, func(t *testing.T) {
1854+t.Parallel()
1855+1856+var (
1857+ctx = testutil.Context(t, testutil.WaitMedium)
1858+client, db = coderdtest.NewWithDatabase(t, nil)
1859+admin = coderdtest.CreateFirstUser(t, client)
1860+_, workspaceOwner = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
1861+templateAdminClient, _ = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID, tc.role(admin.OrganizationID))
1862+workspace = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
1863+OrganizationID: admin.OrganizationID,
1864+OwnerID: workspaceOwner.ID,
1865+ }).WithAgent(func(agents []*proto.Agent) []*proto.Agent {
1866+return agents
1867+ }).Do()
1868+ )
1869+1870+_, err := templateAdminClient.WorkspaceAgentRecreateDevcontainer(ctx, workspace.Agents[0].ID, uuid.NewString())
1871+require.Error(t, err)
1872+1873+var sdkErr *codersdk.Error
1874+require.ErrorAs(t, err, &sdkErr)
1875+require.Equal(t, http.StatusForbidden, sdkErr.StatusCode())
1876+ })
1877+ }
1878+}
1879+18351880func TestWorkspaceAgentDeleteDevcontainer(t *testing.T) {
18361881t.Parallel()
18371882