chore: add permissions to autobuilder & prebuilder to run wsbuild (#18527)

Emyrk · web-flow · commit 45ab265df20d · 2025-06-24T08:45:41.000-05:00
Read organization member and read files is now required for dynamic
param building.
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -228,6 +228,8 @@ var (
 				Identifier:  rbac.RoleIdentifier{Name: "autostart"},
 				DisplayName: "Autostart Daemon",
 				Site: rbac.Permissions(map[string][]policy.Action{
+					rbac.ResourceOrganizationMember.Type:  {policy.ActionRead},
+					rbac.ResourceFile.Type:                {policy.ActionRead}, // Required to read terraform files
 					rbac.ResourceNotificationMessage.Type: {policy.ActionCreate, policy.ActionRead},
 					rbac.ResourceSystem.Type:              {policy.WildcardSymbol},
 					rbac.ResourceTemplate.Type:            {policy.ActionRead, policy.ActionUpdate},
@@ -443,6 +445,7 @@ var (
 					},
 					// Should be able to add the prebuilds system user as a member to any organization that needs prebuilds.
 					rbac.ResourceOrganizationMember.Type: {
+						policy.ActionRead,
 						policy.ActionCreate,
 					},
 					// Needs to be able to assign roles to the system user in order to make it a member of an organization.
@@ -456,6 +459,10 @@ var (
 					rbac.ResourceOrganization.Type: {
 						policy.ActionRead,
 					},
+					// Required to read the terraform files of a template
+					rbac.ResourceFile.Type: {
+						policy.ActionRead,
+					},
 				}),
 			},
 		}),
