coder
diff --git a/‎coderd/audit/diff.go
Lines changed: 1 addition & 1 deletion b/‎coderd/audit/diff.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/audit/request.go
Lines changed: 3 additions & 3 deletions b/‎coderd/audit/request.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 2 additions & 2 deletions b/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/autobuild/executor/lifecycle_executor_test.go
Lines changed: 4 additions & 3 deletions b/‎coderd/autobuild/executor/lifecycle_executor_test.go
Lines changed: 4 additions & 3 deletions
diff --git a/‎coderd/database/db.go
Lines changed: 0 additions & 12 deletions b/‎coderd/database/db.go
Lines changed: 0 additions & 12 deletions
diff --git a/‎coderd/database/dbauthz/querier.go
Lines changed: 61 additions & 25 deletions b/‎coderd/database/dbauthz/querier.go
Lines changed: 61 additions & 25 deletions
@@ -14,7 +14,7 @@ type Auditable interface {
 		database.User |
 		database.Workspace |
 		database.GitSSHKey |
-		database.WorkspaceBuildRBAC |
+		database.WorkspaceBuild |
 		database.AuditableGroup |
 		database.License
 }
 
@@ -62,7 +62,7 @@ func ResourceTarget[T Auditable](tgt T) string {
 		return typed.Username
 	case database.Workspace:
 		return typed.Name
-	case database.WorkspaceBuildRBAC:
+	case database.WorkspaceBuild:
 		// this isn't used
 		return ""
 	case database.GitSSHKey:
@@ -89,7 +89,7 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
 		return typed.ID
 	case database.Workspace:
 		return typed.ID
-	case database.WorkspaceBuildRBAC:
+	case database.WorkspaceBuild:
 		return typed.ID
 	case database.GitSSHKey:
 		return typed.UserID
@@ -114,7 +114,7 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
 		return database.ResourceTypeUser
 	case database.Workspace:
 		return database.ResourceTypeWorkspace
-	case database.WorkspaceBuildRBAC:
+	case database.WorkspaceBuild:
 		return database.ResourceTypeWorkspaceBuild
 	case database.GitSSHKey:
 		return database.ResourceTypeGitSshKey
 
@@ -204,7 +204,7 @@ func isEligibleForAutoStartStop(ws database.Workspace) bool {
 
 func getNextTransition(
 	ws database.Workspace,
-	priorHistory database.WorkspaceBuildRBAC,
+	priorHistory database.WorkspaceBuild,
 	priorJob database.ProvisionerJob,
 ) (
 	validTransition database.WorkspaceTransition,
@@ -239,7 +239,7 @@ func getNextTransition(
 
 // TODO(cian): this function duplicates most of api.postWorkspaceBuilds. Refactor.
 // See: https://github.com/coder/coder/issues/1401
-func build(ctx context.Context, store database.Store, workspace database.Workspace, trans database.WorkspaceTransition, priorHistory database.WorkspaceBuildRBAC, priorJob database.ProvisionerJob) error {
+func build(ctx context.Context, store database.Store, workspace database.Workspace, trans database.WorkspaceTransition, priorHistory database.WorkspaceBuild, priorJob database.ProvisionerJob) error {
 	template, err := store.GetTemplateByID(ctx, workspace.TemplateID)
 	if err != nil {
 		return xerrors.Errorf("get workspace template: %w", err)
 
@@ -2,16 +2,17 @@ package executor_test
 
 import (
 	"context"
+	"os"
 	"testing"
 	"time"
 
-	"github.com/google/uuid"
 	"go.uber.org/goleak"
 
+	"github.com/google/uuid"
+
 	"github.com/coder/coder/coderd/autobuild/executor"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/database"
-	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/schedule"
 	"github.com/coder/coder/coderd/util/ptr"
 	"github.com/coder/coder/codersdk"
@@ -492,7 +493,7 @@ func TestExecutorWorkspaceAutostopNoWaitChangedMyMind(t *testing.T) {
 }
 
 func TestExecutorAutostartMultipleOK(t *testing.T) {
-	if !dbtestutil.UsingRealDatabase() {
+	if os.Getenv("DB") == "" {
 		t.Skip(`This test only really works when using a "real" database, similar to a HA setup`)
 	}
 
 
@@ -16,8 +16,6 @@ import (
 
 	"github.com/jmoiron/sqlx"
 	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/coderd/database/sqlxqueries"
 )
 
 // Store contains all queryable database functions.
@@ -39,21 +37,11 @@ type DBTX interface {
 	QueryRowContext(context.Context, string, ...interface{}) *sql.Row
 	SelectContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error
 	GetContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error
-
-	// Extends the sqlx interface
-	sqlx.QueryerContext
 }
 
 // New creates a new database store using a SQL database connection.
 func New(sdb *sql.DB) Store {
 	dbx := sqlx.NewDb(sdb, "postgres")
-	// Load the embedded queries. If this fails, some of our queries
-	// will never work. This is a fatal developer error that should never
-	// happen.
-	_, err := sqlxqueries.LoadQueries()
-	if err != nil {
-		panic(xerrors.Errorf("load queries: %w", err))
-	}
 	return &sqlQuerier{
 		db:  dbx,
 		sdb: dbx,
 
@@ -1167,12 +1167,25 @@ func (q *querier) GetWorkspaces(ctx context.Context, arg database.GetWorkspacesP
 	return q.db.GetAuthorizedWorkspaces(ctx, arg, prep)
 }
 
-func (q *querier) GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context, workspaceID uuid.UUID) (database.WorkspaceBuildRBAC, error) {
-	return fetch(q.log, q.auth, q.db.GetLatestWorkspaceBuildByWorkspaceID)(ctx, workspaceID)
+func (q *querier) GetLatestWorkspaceBuildByWorkspaceID(ctx context.Context, workspaceID uuid.UUID) (database.WorkspaceBuild, error) {
+	if _, err := q.GetWorkspaceByID(ctx, workspaceID); err != nil {
+		return database.WorkspaceBuild{}, err
+	}
+	return q.db.GetLatestWorkspaceBuildByWorkspaceID(ctx, workspaceID)
 }
 
-func (q *querier) GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]database.WorkspaceBuildRBAC, error) {
-	return fetchWithPostFilter(q.auth, q.db.GetLatestWorkspaceBuildsByWorkspaceIDs)(ctx, ids)
+func (q *querier) GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]database.WorkspaceBuild, error) {
+	// This is not ideal as not all builds will be returned if the workspace cannot be read.
+	// This should probably be handled differently? Maybe join workspace builds with workspace
+	// ownership properties and filter on that.
+	for _, id := range ids {
+		_, err := q.GetWorkspaceByID(ctx, id)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return q.db.GetLatestWorkspaceBuildsByWorkspaceIDs(ctx, ids)
 }
 
 func (q *querier) GetWorkspaceAgentByID(ctx context.Context, id uuid.UUID) (database.WorkspaceAgent, error) {
@@ -1250,16 +1263,35 @@ func (q *querier) GetWorkspaceAppsByAgentID(ctx context.Context, agentID uuid.UU
 	return q.db.GetWorkspaceAppsByAgentID(ctx, agentID)
 }
 
-func (q *querier) GetWorkspaceBuildByID(ctx context.Context, buildID uuid.UUID) (database.WorkspaceBuildRBAC, error) {
-	return fetch(q.log, q.auth, q.db.GetWorkspaceBuildByID)(ctx, buildID)
+func (q *querier) GetWorkspaceBuildByID(ctx context.Context, buildID uuid.UUID) (database.WorkspaceBuild, error) {
+	build, err := q.db.GetWorkspaceBuildByID(ctx, buildID)
+	if err != nil {
+		return database.WorkspaceBuild{}, err
+	}
+	if _, err := q.GetWorkspaceByID(ctx, build.WorkspaceID); err != nil {
+		return database.WorkspaceBuild{}, err
+	}
+	return build, nil
 }
 
-func (q *querier) GetWorkspaceBuildByJobID(ctx context.Context, jobID uuid.UUID) (database.WorkspaceBuildRBAC, error) {
-	return fetch(q.log, q.auth, q.db.GetWorkspaceBuildByJobID)(ctx, jobID)
+func (q *querier) GetWorkspaceBuildByJobID(ctx context.Context, jobID uuid.UUID) (database.WorkspaceBuild, error) {
+	build, err := q.db.GetWorkspaceBuildByJobID(ctx, jobID)
+	if err != nil {
+		return database.WorkspaceBuild{}, err
+	}
+	// Authorized fetch
+	_, err = q.GetWorkspaceByID(ctx, build.WorkspaceID)
+	if err != nil {
+		return database.WorkspaceBuild{}, err
+	}
+	return build, nil
 }
 
-func (q *querier) GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx context.Context, arg database.GetWorkspaceBuildByWorkspaceIDAndBuildNumberParams) (database.WorkspaceBuildRBAC, error) {
-	return fetch(q.log, q.auth, q.db.GetWorkspaceBuildByWorkspaceIDAndBuildNumber)(ctx, arg)
+func (q *querier) GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx context.Context, arg database.GetWorkspaceBuildByWorkspaceIDAndBuildNumberParams) (database.WorkspaceBuild, error) {
+	if _, err := q.GetWorkspaceByID(ctx, arg.WorkspaceID); err != nil {
+		return database.WorkspaceBuild{}, err
+	}
+	return q.db.GetWorkspaceBuildByWorkspaceIDAndBuildNumber(ctx, arg)
 }
 
 func (q *querier) GetWorkspaceBuildParameters(ctx context.Context, workspaceBuildID uuid.UUID) ([]database.WorkspaceBuildParameter, error) {
@@ -1273,20 +1305,11 @@ func (q *querier) GetWorkspaceBuildParameters(ctx context.Context, workspaceBuil
 	return q.db.GetWorkspaceBuildParameters(ctx, workspaceBuildID)
 }
 
-func (q *querier) GetWorkspaceBuildsByWorkspaceID(ctx context.Context, arg database.GetWorkspaceBuildsByWorkspaceIDParams) ([]database.WorkspaceBuildRBAC, error) {
-	builds, err := q.db.GetWorkspaceBuildsByWorkspaceID(ctx, arg)
-	if err != nil {
-		return nil, err
-	}
-	if len(builds) == 0 {
-		return []database.WorkspaceBuildRBAC{}, nil
-	}
-	// All builds come from the same workspace, so we only need to check the first one.
-	err = q.authorizeContext(ctx, rbac.ActionRead, builds[0])
-	if err != nil {
+func (q *querier) GetWorkspaceBuildsByWorkspaceID(ctx context.Context, arg database.GetWorkspaceBuildsByWorkspaceIDParams) ([]database.WorkspaceBuild, error) {
+	if _, err := q.GetWorkspaceByID(ctx, arg.WorkspaceID); err != nil {
 		return nil, err
 	}
-	return builds, nil
+	return q.db.GetWorkspaceBuildsByWorkspaceID(ctx, arg)
 }
 
 func (q *querier) GetWorkspaceByAgentID(ctx context.Context, agentID uuid.UUID) (database.Workspace, error) {
@@ -1346,7 +1369,11 @@ func (q *querier) GetWorkspaceResourcesByJobID(ctx context.Context, jobID uuid.U
 		if err != nil {
 			return nil, err
 		}
-		obj = build
+		workspace, err := q.db.GetWorkspaceByID(ctx, build.WorkspaceID)
+		if err != nil {
+			return nil, err
+		}
+		obj = workspace
 	default:
 		return nil, xerrors.Errorf("unknown job type: %s", job.Type)
 	}
@@ -1387,7 +1414,12 @@ func (q *querier) InsertWorkspaceBuildParameters(ctx context.Context, arg databa
 		return err
 	}
 
-	err = q.authorizeContext(ctx, rbac.ActionUpdate, build)
+	workspace, err := q.db.GetWorkspaceByID(ctx, build.WorkspaceID)
+	if err != nil {
+		return err
+	}
+
+	err = q.authorizeContext(ctx, rbac.ActionUpdate, workspace)
 	if err != nil {
 		return err
 	}
@@ -1451,7 +1483,11 @@ func (q *querier) UpdateWorkspaceBuildByID(ctx context.Context, arg database.Upd
 		return database.WorkspaceBuild{}, err
 	}
 
-	err = q.authorizeContext(ctx, rbac.ActionUpdate, build)
+	workspace, err := q.db.GetWorkspaceByID(ctx, build.WorkspaceID)
+	if err != nil {
+		return database.WorkspaceBuild{}, err
+	}
+	err = q.authorizeContext(ctx, rbac.ActionUpdate, workspace.RBACObject())
 	if err != nil {
 		return database.WorkspaceBuild{}, err
 	}
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ type Auditable interface {`
`14`	`14`	`database.User \|`
`15`	`15`	`database.Workspace \|`
`16`	`16`	`database.GitSSHKey \|`
`17`		`- database.WorkspaceBuildRBAC \|`
	`17`	`+ database.WorkspaceBuild \|`
`18`	`18`	`database.AuditableGroup \|`
`19`	`19`	`database.License`
`20`	`20`	`}`