check use perm on creating a workspace

Emyrk · Emyrk · commit 343c70d849c9 · 2025-01-08T15:14:46.000-06:00
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -134,7 +134,7 @@ var RBACPermissions = map[string]PermissionDefinition{
 	"template": {
 		Actions: map[Action]ActionDefinition{
 			ActionCreate:       actDef("create a template"),
-			ActionUse:          actDef("use the template to create a workspace"),
+			ActionUse:          actDef("use the template to initially create a workspace, then workspace lifecycle permissions take over"),
 			ActionRead:         actDef("read template"),
 			ActionUpdate:       actDef("update a template"),
 			ActionDelete:       actDef("delete a template"),
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
@@ -515,6 +515,18 @@ func createWorkspace(
 		return
 	}
 
+	// The user also needs permission to use the template. At this point they have
+	// read perms, but not necessarily "use"
+	if !api.Authorize(r, policy.ActionUse, template) {
+		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
+			Message: fmt.Sprintf("Unauthorized access to use the template %q.", template.Name),
+			Detail: "Although you are able to view the template, you are unable to create a workspace using it. " +
+				"Please contact an administrator about your permissions if you feel this is an error.",
+			Validations: nil,
+		})
+		return
+	}
+
 	// Update audit log's organization
 	auditReq.UpdateOrganizationID(template.OrganizationID)
 
diff --git a/site/src/api/rbacresourcesGenerated.ts b/site/src/api/rbacresourcesGenerated.ts
@@ -144,7 +144,7 @@ export const RBACResourceActions: Partial<
 		delete: "delete a template",
 		read: "read template",
 		update: "update a template",
-		use: "use the template to create a workspace",
+		use: "use the template to initially create a workspace, then workspace lifecycle permissions take over",
 		view_insights: "view insights",
 	},
 	user: {
