feat: allow TemplateAdmin to delete prebuilds via auth layer #18333
+493
−63
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e05480d to
db80b4d
Compare
db80b4d to
2ba15c5
Compare
johnstcn
reviewed
Jun 12, 2025
johnstcn
reviewed
Jun 12, 2025
johnstcn
reviewed
Jun 18, 2025
…resolve import cycle
Emyrk
reviewed
Jun 18, 2025
Comment on lines
+278
to
+281
| // PrebuiltWorkspaces are a subset of Workspaces. | ||
| // Explicitly setting PrebuiltWorkspace permissions for clarity. | ||
| // Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions. | ||
| ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete}, |
johnstcn
reviewed
Jun 20, 2025
| @@ -180,7 +180,7 @@ func ExtractOrganizationMember(ctx context.Context, auth func(r *http.Request, a | |||
| organizationMembers, err := db.OrganizationMembers(ctx, database.OrganizationMembersParams{ | |||
| OrganizationID: orgID, | |||
| UserID: user.ID, | |||
| IncludeSystem: false, | |||
| IncludeSystem: true, | |||
There was a problem hiding this comment.
review: this is required in order to be able to delete a prebuilt workspace from the CLI, as it needs to fetch it first.
There was a problem hiding this comment.
Added to the PR description as well:
- Update middleware ExtractOrganizationMember to include system user members.
johnstcn
reviewed
Jun 20, 2025
johnstcn
approved these changes
Jun 20, 2025
Emyrk
approved these changes
Jun 20, 2025
Comment on lines
+163
to
+172
| if (action == policy.ActionUpdate || action == policy.ActionDelete) && workspace.IsPrebuild() { | ||
| // Try prebuilt-specific authorization first | ||
| if prebuiltErr = q.authorizeContext(ctx, action, workspace.AsPrebuild()); prebuiltErr == nil { | ||
| return nil | ||
| } | ||
| } | ||
| // Fallback to normal workspace authorization check | ||
| if err := q.authorizeContext(ctx, action, workspace); err != nil { | ||
| return xerrors.Errorf("authorize context: %w", errors.Join(prebuiltErr, err)) | ||
| } |
There was a problem hiding this comment.
I think the normal workspace check is more likely to succeed then the prebuild. So it might be a slight optimization to flip these checks.
But that will probably break some of the unit tests? No need to change this, just a thought.
There was a problem hiding this comment.
Good point, I had considered that optimization as well. I believe it might require some test updates, so I'd prefer to merge this PR and address the optimization in a follow-up PR.
Emyrk
reviewed
Jun 20, 2025
| @@ -5564,3 +5564,63 @@ func (s *MethodTestSuite) TestChat() { | |||
| }).Asserts(c, policy.ActionUpdate) | |||
| })) | |||
| } | |||
|
|
|||
| func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() { | |||
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds support for deleting prebuilt workspaces via the authorization layer. It introduces special-case handling to ensure that
prebuilt_workspacepermissions are evaluated when attempting to delete a prebuilt workspace, falling back to the standardworkspaceresource as needed.Prebuilt workspaces are a subset of workspaces, identified by having
owner_idset toPREBUILD_SYSTEM_USER.This means:
prebuilt_workspace.deletepermission is allowed to delete only prebuilt workspaces.workspace.deletepermission can delete both normal and prebuilt workspaces.prebuilt_workspaceresource.To delete a workspace, users must have the following permissions:
workspace.read: to read the current workspace stateupdate: to modify workspace metadata and related resources during deletion (e.g., updating thedeletedfield in the database)delete: to perform the actual deletion of the workspaceChanges
authorizeWorkspace()helper to handle prebuilt workspace authorization logic.prebuilt_workspaceandworkspacepermissions are checked.SystemUserIDconstant from theprebuildspackage to thedatabasepackagePrebuildsSystemUserIDto resolve an import cycle (commit f24e4ab).ExtractOrganizationMemberto include system user members.