fix: require update permission to recreate devcontainers (#25812) (#2… · coder/coder@e822677
@@ -1876,6 +1876,51 @@ func TestWorkspaceAgentRecreateDevcontainer(t *testing.T) {
18761876 })
18771877}
187818781879+func TestWorkspaceAgentRecreateDevcontainerAuthorization(t *testing.T) {
1880+t.Parallel()
1881+1882+for _, tc := range []struct {
1883+name string
1884+role func(uuid.UUID) rbac.RoleIdentifier
1885+ }{
1886+ {
1887+name: "TemplateAdmin",
1888+role: func(uuid.UUID) rbac.RoleIdentifier {
1889+return rbac.RoleTemplateAdmin()
1890+ },
1891+ },
1892+ {
1893+name: "OrgTemplateAdmin",
1894+role: rbac.ScopedRoleOrgTemplateAdmin,
1895+ },
1896+ } {
1897+t.Run(tc.name, func(t *testing.T) {
1898+t.Parallel()
1899+1900+var (
1901+ctx = testutil.Context(t, testutil.WaitMedium)
1902+client, db = coderdtest.NewWithDatabase(t, nil)
1903+admin = coderdtest.CreateFirstUser(t, client)
1904+_, workspaceOwner = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
1905+templateAdminClient, _ = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID, tc.role(admin.OrganizationID))
1906+workspace = dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
1907+OrganizationID: admin.OrganizationID,
1908+OwnerID: workspaceOwner.ID,
1909+ }).WithAgent(func(agents []*proto.Agent) []*proto.Agent {
1910+return agents
1911+ }).Do()
1912+ )
1913+1914+_, err := templateAdminClient.WorkspaceAgentRecreateDevcontainer(ctx, workspace.Agents[0].ID, uuid.NewString())
1915+require.Error(t, err)
1916+1917+var sdkErr *codersdk.Error
1918+require.ErrorAs(t, err, &sdkErr)
1919+require.Equal(t, http.StatusForbidden, sdkErr.StatusCode())
1920+ })
1921+ }
1922+}
1923+18791924func TestWorkspaceAgentDeleteDevcontainer(t *testing.T) {
18801925t.Parallel()
18811926