fix: adjust build state permission to require template update

kylecarbs · kylecarbs · commit 4528e8157fa1 · 2023-03-07T02:20:25.000Z
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
@@ -892,8 +892,18 @@ func (api *API) workspaceBuildState(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	template, err := api.Database.GetTemplateByID(ctx, workspace.TemplateID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to get template",
+			Detail:  err.Error(),
+		})
+		return
+	}
 
-	if !api.Authorize(r, rbac.ActionRead, workspace) {
+	// You must have update permissions on the template to get the state.
+	// This matches a push!
+	if !api.Authorize(r, rbac.ActionUpdate, template.RBACObject()) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
