fix: fix permissions for workspace creation

jaaydenh · jaaydenh · commit 55ed6535847c · 2025-04-03T13:22:05.000Z
diff --git a/site/src/api/queries/organizations.ts b/site/src/api/queries/organizations.ts
@@ -306,6 +306,7 @@ export const organizationsPermissions = (
 
 export const workspacePermissionsByOrganization = (
 	organizationIds: string[] | undefined,
+	userId: string,
 ) => {
 	if (!organizationIds) {
 		return { enabled: false };
@@ -315,7 +316,7 @@ export const workspacePermissionsByOrganization = (
 		queryKey: ["workspaces", organizationIds.sort(), "permissions"],
 		queryFn: async () => {
 			const prefixedChecks = organizationIds.flatMap((orgId) =>
-				Object.entries(workspacePermissionChecks(orgId)).map(([key, val]) => [
+				Object.entries(workspacePermissionChecks(orgId, userId)).map(([key, val]) => [
 					`${orgId}.${key}`,
 					val,
 				]),
diff --git a/site/src/components/Checkbox/Checkbox.tsx b/site/src/components/Checkbox/Checkbox.tsx
@@ -0,0 +1,30 @@
+"use client"
+
+import * as React from "react"
+import * as CheckboxPrimitive from "@radix-ui/react-checkbox"
+import { Check } from "lucide-react"
+
+import { cn } from "utils/cn"
+
+const Checkbox = React.forwardRef<
+  React.ElementRef<typeof CheckboxPrimitive.Root>,
+  React.ComponentPropsWithoutRef<typeof CheckboxPrimitive.Root>
+>(({ className, ...props }, ref) => (
+  <CheckboxPrimitive.Root
+    ref={ref}
+    className={cn(
+      "peer h-4 w-4 shrink-0 rounded-sm border border-primary shadow focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50 data-[state=checked]:bg-primary data-[state=checked]:text-primary-foreground",
+      className
+    )}
+    {...props}
+  >
+    <CheckboxPrimitive.Indicator
+      className={cn("flex items-center justify-center text-current")}
+    >
+      <Check className="h-4 w-4" />
+    </CheckboxPrimitive.Indicator>
+  </CheckboxPrimitive.Root>
+))
+Checkbox.displayName = CheckboxPrimitive.Root.displayName
+
+export { Checkbox }
diff --git a/site/src/modules/permissions/workspaces.ts b/site/src/modules/permissions/workspaces.ts
@@ -1,10 +1,10 @@
-export const workspacePermissionChecks = (organizationId: string) =>
+export const workspacePermissionChecks = (organizationId: string, userId: string) =>
 	({
-		createWorkspaceForUser: {
+		createWorkspace: {
 			object: {
 				resource_type: "workspace",
 				organization_id: organizationId,
-				owner_id: "*",
+				owner_id: userId,
 			},
 			action: "create",
 		},
diff --git a/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx b/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx
@@ -67,7 +67,7 @@ const CreateWorkspacePage: FC = () => {
 	const permissionsQuery = useQuery(
 		templateQuery.data
 			? checkAuthorization({
-					checks: workspacePermissionChecks(templateQuery.data.organization_id),
+					checks: workspacePermissionChecks(templateQuery.data.organization_id, me.id),
 				})
 			: { enabled: false },
 	);
diff --git a/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.stories.tsx b/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.stories.tsx
@@ -27,7 +27,7 @@ const meta: Meta<typeof CreateWorkspacePageView> = {
 		hasAllRequiredExternalAuth: true,
 		mode: "form",
 		permissions: {
-			createWorkspaceForUser: true,
+			createWorkspace: true,
 		},
 		onCancel: action("onCancel"),
 	},
diff --git a/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.tsx b/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.tsx
@@ -256,7 +256,7 @@ export const CreateWorkspacePageView: FC<CreateWorkspacePageViewProps> = ({
 				<FormSection
 					title="General"
 					description={
-						permissions.createWorkspaceForUser
+						permissions.createWorkspace
 							? "The name of the workspace and its owner. Only admins can create workspaces for other users."
 							: "The name of your new workspace."
 					}
@@ -301,7 +301,7 @@ export const CreateWorkspacePageView: FC<CreateWorkspacePageViewProps> = ({
 							</FormHelperText>
 						</div>
 
-						{permissions.createWorkspaceForUser && (
+						{permissions.createWorkspace && (
 							<UserAutocomplete
 								value={owner}
 								onChange={(user) => {
diff --git a/site/src/pages/TemplatePage/TemplateLayout.tsx b/site/src/pages/TemplatePage/TemplateLayout.tsx
@@ -6,6 +6,7 @@ import { Loader } from "components/Loader/Loader";
 import { Margins } from "components/Margins/Margins";
 import { TabLink, Tabs, TabsList } from "components/Tabs/Tabs";
 import { workspacePermissionChecks } from "modules/permissions/workspaces";
+import { useAuthenticated } from "contexts/auth/RequireAuth";
 import {
 	type FC,
 	type PropsWithChildren,
@@ -73,6 +74,7 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 	children = <Outlet />,
 }) => {
 	const navigate = useNavigate();
+	const { user: me } = useAuthenticated();
 	const { organization: organizationName = "default", template: templateName } =
 		useParams() as { organization?: string; template: string };
 	const { data, error, isLoading } = useQuery({
@@ -81,7 +83,7 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 	});
 	const workspacePermissionsQuery = useQuery(
 		checkAuthorization({
-			checks: workspacePermissionChecks(organizationName),
+			checks: workspacePermissionChecks(organizationName, me.id),
 		}),
 	);
 
diff --git a/site/src/pages/TemplatePage/TemplatePageHeader.stories.tsx b/site/src/pages/TemplatePage/TemplatePageHeader.stories.tsx
@@ -14,7 +14,7 @@ const meta: Meta<typeof TemplatePageHeader> = {
 			canUpdateTemplate: true,
 		},
 		workspacePermissions: {
-			createWorkspaceForUser: true,
+			createWorkspace: true,
 		},
 	},
 };
@@ -35,7 +35,7 @@ export const CanNotUpdate: Story = {
 export const CannotCreateWorkspace: Story = {
 	args: {
 		workspacePermissions: {
-			createWorkspaceForUser: false,
+			createWorkspace: false,
 		},
 	},
 };
diff --git a/site/src/pages/TemplatePage/TemplatePageHeader.tsx b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
@@ -180,7 +180,7 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
 				actions={
 					<>
 						{!template.deprecated &&
-							workspacePermissions.createWorkspaceForUser && (
+							workspacePermissions.createWorkspace && (
 								<Button
 									variant="contained"
 									startIcon={<AddIcon />}
diff --git a/site/src/pages/TemplatesPage/TemplatesPage.tsx b/site/src/pages/TemplatesPage/TemplatesPage.tsx
@@ -11,7 +11,7 @@ import { pageTitle } from "utils/page";
 import { TemplatesPageView } from "./TemplatesPageView";
 
 export const TemplatesPage: FC = () => {
-	const { permissions } = useAuthenticated();
+	const { permissions, user: me } = useAuthenticated();
 	const { showOrganizations } = useDashboard();
 
 	const searchParamsResult = useSearchParams();
@@ -30,6 +30,7 @@ export const TemplatesPage: FC = () => {
 	const workspacePermissionsQuery = useQuery(
 		workspacePermissionsByOrganization(
 			templatesQuery.data?.map((template) => template.organization_id),
+			me.id,
 		),
 	);
 
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
@@ -76,7 +76,7 @@ export const WithTemplates: Story = {
 		examples: [],
 		workspacePermissions: {
 			[MockTemplate.organization_id]: {
-				createWorkspaceForUser: true,
+				createWorkspace: true,
 			},
 		},
 	},
@@ -94,7 +94,7 @@ export const CannotCreateWorkspaces: Story = {
 		...WithTemplates.args,
 		workspacePermissions: {
 			[MockTemplate.organization_id]: {
-				createWorkspaceForUser: false,
+				createWorkspace: false,
 			},
 		},
 	},
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -160,7 +160,7 @@ const TemplateRow: FC<TemplateRowProps> = ({
 				{template.deprecated ? (
 					<DeprecatedBadge />
 				) : workspacePermissions?.[template.organization_id]
-						?.createWorkspaceForUser ? (
+						?.createWorkspace ? (
 					<MuiButton
 						size="small"
 						css={styles.actionButton}
diff --git a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
@@ -40,14 +40,15 @@ const WorkspacesPage: FC = () => {
 	// each hook.
 	const searchParamsResult = useSafeSearchParams();
 	const pagination = usePagination({ searchParamsResult });
-	const { permissions } = useAuthenticated();
+	const { permissions, user: me } = useAuthenticated();
 	const { entitlements } = useDashboard();
 
 	const templatesQuery = useQuery(templates());
 
 	const orgPermissionsQuery = useQuery(
 		workspacePermissionsByOrganization(
 			templatesQuery.data?.map((template) => template.organization_id),
+			me.id,
 		),
 	);
 
@@ -59,7 +60,7 @@ const WorkspacesPage: FC = () => {
 
 		return templatesQuery.data.filter((template) => {
 			const orgPermission = orgPermissionsQuery.data[template.organization_id];
-			return orgPermission?.createWorkspaceForUser;
+			return orgPermission?.createWorkspace;
 		});
 	}, [templatesQuery.data, orgPermissionsQuery.data]);
 
