coder
diff --git a/‎cli/delete_test.go
Lines changed: 219 additions & 0 deletions b/‎cli/delete_test.go
Lines changed: 219 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 5 additions & 5 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 5 additions & 5 deletions
diff --git a/‎coderd/rbac/object_gen.go
Lines changed: 0 additions & 1 deletion b/‎coderd/rbac/object_gen.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎coderd/rbac/policy/policy.go
Lines changed: 4 additions & 3 deletions b/‎coderd/rbac/policy/policy.go
Lines changed: 4 additions & 3 deletions
diff --git a/‎coderd/rbac/roles.go
Lines changed: 4 additions & 4 deletions b/‎coderd/rbac/roles.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎coderd/rbac/roles_test.go
Lines changed: 3 additions & 2 deletions b/‎coderd/rbac/roles_test.go
Lines changed: 3 additions & 2 deletions
diff --git a/‎coderd/wsbuilder/wsbuilder.go
Lines changed: 12 additions & 1 deletion b/‎coderd/wsbuilder/wsbuilder.go
Lines changed: 12 additions & 1 deletion
diff --git a/‎codersdk/rbacresources_gen.go
Lines changed: 1 addition & 1 deletion b/‎codersdk/rbacresources_gen.go
Lines changed: 1 addition & 1 deletion
@@ -2,9 +2,18 @@ package cli_test
 
 import (
 	"context"
+	"database/sql"
 	"fmt"
 	"io"
 	"testing"
+	"time"
+
+	"github.com/google/uuid"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/pubsub"
+	"github.com/coder/quartz"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -209,4 +218,214 @@ func TestDelete(t *testing.T) {
 		cancel()
 		<-doneChan
 	})
+
+	t.Run("Workspace delete permissions", func(t *testing.T) {
+		t.Parallel()
+		if !dbtestutil.WillUsePostgres() {
+			t.Skip("this test requires postgres")
+		}
+
+		clock := quartz.NewMock(t)
+		ctx := testutil.Context(t, testutil.WaitSuperLong)
+
+		// Setup
+		db, pb := dbtestutil.NewDB(t, dbtestutil.WithDumpOnFailure())
+		client, _ := coderdtest.NewWithProvisionerCloser(t, &coderdtest.Options{
+			Database:                 db,
+			Pubsub:                   pb,
+			IncludeProvisionerDaemon: true,
+		})
+		owner := coderdtest.CreateFirstUser(t, client)
+		orgID := owner.OrganizationID
+
+		// Given a template version with a preset and a template
+		version := coderdtest.CreateTemplateVersion(t, client, orgID, nil)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
+		preset := setupTestDBPreset(t, db, version.ID)
+		template := coderdtest.CreateTemplate(t, client, orgID, version.ID)
+
+		cases := []struct {
+			name                          string
+			client                        *codersdk.Client
+			expectedPrebuiltDeleteErrMsg  string
+			expectedWorkspaceDeleteErrMsg string
+		}{
+			// Users with the OrgAdmin role should be able to delete both normal and prebuilt workspaces
+			{
+				name: "OrgAdmin",
+				client: func() *codersdk.Client {
+					client, _ := coderdtest.CreateAnotherUser(t, client, orgID, rbac.ScopedRoleOrgAdmin(orgID))
+					return client
+				}(),
+			},
+			// Users with the TemplateAdmin role should be able to delete prebuilt workspaces, but not normal workspaces
+			{
+				name: "TemplateAdmin",
+				client: func() *codersdk.Client {
+					client, _ := coderdtest.CreateAnotherUser(t, client, orgID, rbac.RoleTemplateAdmin())
+					return client
+				}(),
+				expectedWorkspaceDeleteErrMsg: "unexpected status code 403: You do not have permission to delete this workspace.",
+			},
+			// Users with the OrgTemplateAdmin role should be able to delete prebuilt workspaces, but not normal workspaces
+			{
+				name: "OrgTemplateAdmin",
+				client: func() *codersdk.Client {
+					client, _ := coderdtest.CreateAnotherUser(t, client, orgID, rbac.ScopedRoleOrgTemplateAdmin(orgID))
+					return client
+				}(),
+				expectedWorkspaceDeleteErrMsg: "unexpected status code 403: You do not have permission to delete this workspace.",
+			},
+			// Users with the Member role should not be able to delete prebuilt or normal workspaces
+			{
+				name: "Member",
+				client: func() *codersdk.Client {
+					client, _ := coderdtest.CreateAnotherUser(t, client, orgID, rbac.RoleMember())
+					return client
+				}(),
+				expectedPrebuiltDeleteErrMsg:  "unexpected status code 404: Resource not found or you do not have access to this resource",
+				expectedWorkspaceDeleteErrMsg: "unexpected status code 404: Resource not found or you do not have access to this resource",
+			},
+		}
+
+		for _, tc := range cases {
+			tc := tc
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+
+				// Create one prebuilt workspace (owned by system user) and one normal workspace (owned by the owner user)
+				// Each workspace is persisted in the DB along with associated workspace jobs and builds.
+				dbPrebuiltWorkspace := setupTestDBWorkspace(t, clock, db, pb, orgID, database.PrebuildsSystemUserID, template.ID, version.ID, preset.ID)
+				dbUserWorkspace := setupTestDBWorkspace(t, clock, db, pb, orgID, owner.UserID, template.ID, version.ID, preset.ID)
+
+				// Ensure at least one prebuilt workspace is reported as running in the database
+				testutil.Eventually(ctx, t, func(ctx context.Context) (done bool) {
+					running, err := db.GetRunningPrebuiltWorkspaces(ctx)
+					if !assert.NoError(t, err) || !assert.GreaterOrEqual(t, len(running), 1) {
+						return false
+					}
+					return true
+				}, testutil.IntervalMedium, "running prebuilt workspaces timeout")
+
+				runningWorkspaces, err := db.GetRunningPrebuiltWorkspaces(ctx)
+				require.NoError(t, err)
+				require.GreaterOrEqual(t, len(runningWorkspaces), 1)
+
+				// Get the full prebuilt workspace object from the DB
+				prebuiltWorkspace, err := db.GetWorkspaceByID(ctx, runningWorkspaces[0].ID)
+				require.NoError(t, err)
+
+				// Attempt to delete the prebuilt workspace as the test client
+				build, err := tc.client.CreateWorkspaceBuild(ctx, dbPrebuiltWorkspace.ID, codersdk.CreateWorkspaceBuildRequest{
+					Transition: codersdk.WorkspaceTransitionDelete,
+				})
+				// Validate the result based on the expected error message
+				if tc.expectedPrebuiltDeleteErrMsg != "" {
+					require.Error(t, err)
+					require.Contains(t, err.Error(), tc.expectedPrebuiltDeleteErrMsg)
+				} else {
+					require.NoError(t, err, "delete the prebuilt workspace")
+					coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+
+					// Verify that the prebuilt workspace is now marked as deleted
+					deletedWorkspace, err := client.DeletedWorkspace(ctx, prebuiltWorkspace.ID)
+					require.NoError(t, err)
+					require.Equal(t, prebuiltWorkspace.ID, deletedWorkspace.ID)
+				}
+
+				// Get the full user workspace object from the DB
+				userWorkspace, err := db.GetWorkspaceByID(ctx, dbUserWorkspace.ID)
+				require.NoError(t, err)
+
+				// Attempt to delete the prebuilt workspace as the test client
+				build, err = tc.client.CreateWorkspaceBuild(ctx, dbUserWorkspace.ID, codersdk.CreateWorkspaceBuildRequest{
+					Transition: codersdk.WorkspaceTransitionDelete,
+				})
+				// Validate the result based on the expected error message
+				if tc.expectedWorkspaceDeleteErrMsg != "" {
+					require.Error(t, err)
+					require.Contains(t, err.Error(), tc.expectedWorkspaceDeleteErrMsg)
+				} else {
+					require.NoError(t, err, "delete the user Workspace")
+					coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
+
+					// Verify that the user workspace is now marked as deleted
+					deletedWorkspace, err := client.DeletedWorkspace(ctx, userWorkspace.ID)
+					require.NoError(t, err)
+					require.Equal(t, userWorkspace.ID, deletedWorkspace.ID)
+				}
+			})
+		}
+	})
+}
+
+func setupTestDBPreset(
+	t *testing.T,
+	db database.Store,
+	templateVersionID uuid.UUID,
+) database.TemplateVersionPreset {
+	t.Helper()
+
+	preset := dbgen.Preset(t, db, database.InsertPresetParams{
+		TemplateVersionID: templateVersionID,
+		Name:              "preset-test",
+		DesiredInstances: sql.NullInt32{
+			Valid: true,
+			Int32: 1,
+		},
+	})
+	dbgen.PresetParameter(t, db, database.InsertPresetParametersParams{
+		TemplateVersionPresetID: preset.ID,
+		Names:                   []string{"test"},
+		Values:                  []string{"test"},
+	})
+
+	return preset
+}
+
+func setupTestDBWorkspace(
+	t *testing.T,
+	clock quartz.Clock,
+	db database.Store,
+	ps pubsub.Pubsub,
+	orgID uuid.UUID,
+	ownerID uuid.UUID,
+	templateID uuid.UUID,
+	templateVersionID uuid.UUID,
+	presetID uuid.UUID,
+) database.WorkspaceTable {
+	t.Helper()
+
+	workspace := dbgen.Workspace(t, db, database.WorkspaceTable{
+		TemplateID:     templateID,
+		OrganizationID: orgID,
+		OwnerID:        ownerID,
+		Deleted:        false,
+		CreatedAt:      time.Now().Add(-time.Hour * 2),
+	})
+	job := dbgen.ProvisionerJob(t, db, ps, database.ProvisionerJob{
+		InitiatorID:    ownerID,
+		CreatedAt:      time.Now().Add(-time.Hour * 2),
+		StartedAt:      sql.NullTime{Time: clock.Now().Add(-time.Hour * 2), Valid: true},
+		CompletedAt:    sql.NullTime{Time: clock.Now().Add(-time.Hour), Valid: true},
+		OrganizationID: orgID,
+	})
+	workspaceBuild := dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
+		WorkspaceID:             workspace.ID,
+		InitiatorID:             ownerID,
+		TemplateVersionID:       templateVersionID,
+		JobID:                   job.ID,
+		TemplateVersionPresetID: uuid.NullUUID{UUID: presetID, Valid: true},
+		Transition:              database.WorkspaceTransitionStart,
+		CreatedAt:               clock.Now(),
+	})
+	dbgen.WorkspaceBuildParameters(t, db, []database.WorkspaceBuildParameter{
+		{
+			WorkspaceBuildID: workspaceBuild.ID,
+			Name:             "test",
+			Value:            "test",
+		},
+	})
+
+	return workspace
 }
@@ -149,15 +149,15 @@ func (q *querier) authorizeContext(ctx context.Context, action policy.Action, ob
 	return nil
 }
 
-// authorizeWorkspace handles authorization for workspace resource types.
+// authorizePrebuiltWorkspace handles authorization for workspace resource types.
 // prebuilt_workspaces are a subset of workspaces, currently limited to
 // supporting delete operations. Therefore, if the action is delete or
 // update and the workspace is a prebuild, a prebuilt-specific authorization
 // is attempted first. If that fails, it falls back to normal workspace
 // authorization.
 // Note: Delete operations of workspaces requires both update and delete
 // permissions.
-func (q *querier) authorizeWorkspace(ctx context.Context, action policy.Action, workspace database.Workspace) error {
+func (q *querier) authorizePrebuiltWorkspace(ctx context.Context, action policy.Action, workspace database.Workspace) error {
 	var prebuiltErr error
 	// Special handling for prebuilt_workspace deletion authorization check
 	if (action == policy.ActionUpdate || action == policy.ActionDelete) && workspace.IsPrebuild() {
@@ -439,7 +439,7 @@ var (
 					// Explicitly setting PrebuiltWorkspace permissions for clarity.
 					// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
 					rbac.ResourcePrebuiltWorkspace.Type: {
-						policy.ActionRead, policy.ActionUpdate, policy.ActionDelete,
+						policy.ActionUpdate, policy.ActionDelete,
 					},
 					// Should be able to add the prebuilds system user as a member to any organization that needs prebuilds.
 					rbac.ResourceOrganizationMember.Type: {
@@ -3962,7 +3962,7 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 	}
 
 	// Special handling for prebuilt workspace deletion
-	if err := q.authorizeWorkspace(ctx, action, w); err != nil {
+	if err := q.authorizePrebuiltWorkspace(ctx, action, w); err != nil {
 		return err
 	}
 
@@ -4003,7 +4003,7 @@ func (q *querier) InsertWorkspaceBuildParameters(ctx context.Context, arg databa
 	}
 
 	// Special handling for prebuilt workspace deletion
-	if err := q.authorizeWorkspace(ctx, policy.ActionUpdate, workspace); err != nil {
+	if err := q.authorizePrebuiltWorkspace(ctx, policy.ActionUpdate, workspace); err != nil {
 		return err
 	}
 
 
@@ -104,13 +104,14 @@ var RBACPermissions = map[string]PermissionDefinition{
 	},
 	"prebuilt_workspace": {
 		// Prebuilt_workspace actions currently apply only to delete operations.
-		// To successfully delete a workspace, a user must have the following permissions:
-		//   * read: to read the current workspace state
+		// To successfully delete a prebuilt workspace, a user must have the following permissions:
+		//   * workspace.read: to read the current workspace state
 		//   * update: to modify workspace metadata and related resources during deletion
 		//             (e.g., updating the deleted field in the database)
 		//   * delete: to perform the actual deletion of the workspace
+		// If the user lacks prebuilt_workspace update or delete permissions,
+		// the authorization will always fall back to the corresponding permissions on workspace.
 		Actions: map[Action]ActionDefinition{
-			ActionRead:   actDef("read prebuilt workspace data"),
 			ActionUpdate: actDef("update prebuilt workspace settings"),
 			ActionDelete: actDef("delete prebuilt workspace"),
 		},
 
@@ -278,7 +278,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				// PrebuiltWorkspaces are a subset of Workspaces.
 				// Explicitly setting PrebuiltWorkspace permissions for clarity.
 				// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
-				ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+				ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete},
 			})...),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -341,7 +341,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			// CRUD all files, even those they did not upload.
 			ResourceFile.Type:              {policy.ActionCreate, policy.ActionRead},
 			ResourceWorkspace.Type:         {policy.ActionRead},
-			ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+			ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete},
 			// CRUD to provisioner daemons for now.
 			ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			// Needs to read all organizations since
@@ -424,7 +424,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						// PrebuiltWorkspaces are a subset of Workspaces.
 						// Explicitly setting PrebuiltWorkspace permissions for clarity.
 						// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
-						ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+						ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete},
 					})...),
 				},
 				User: []Permission{},
@@ -505,7 +505,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceTemplate.Type:          ResourceTemplate.AvailableActions(),
 						ResourceFile.Type:              {policy.ActionCreate, policy.ActionRead},
 						ResourceWorkspace.Type:         {policy.ActionRead},
-						ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+						ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete},
 						// Assigning template perms requires this permission.
 						ResourceOrganization.Type:       {policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionRead},
 
@@ -3,9 +3,10 @@ package rbac_test
 import (
 	"context"
 	"fmt"
-	"github.com/coder/coder/v2/coderd/database"
 	"testing"
 
+	"github.com/coder/coder/v2/coderd/database"
+
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
@@ -499,7 +500,7 @@ func TestRolePermissions(t *testing.T) {
 		},
 		{
 			Name:     "PrebuiltWorkspace",
-			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+			Actions:  []policy.Action{policy.ActionUpdate, policy.ActionDelete},
 			Resource: rbac.ResourcePrebuiltWorkspace.WithID(uuid.New()).InOrg(orgID).WithOwner(database.PrebuildsSystemUserID.String()),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {owner, orgAdmin, templateAdmin, orgTemplateAdmin},
 
@@ -918,7 +918,18 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje
 		msg := fmt.Sprintf("Transition %q not supported.", b.trans)
 		return BuildError{http.StatusBadRequest, msg, xerrors.New(msg)}
 	}
-	if !authFunc(action, b.workspace) {
+
+	// Special handling for prebuilt workspace deletion
+	authorized := false
+	if action == policy.ActionDelete && b.workspace.IsPrebuild() && authFunc(action, b.workspace.AsPrebuild()) {
+		authorized = true
+	}
+	// Fallback to default authorization
+	if !authorized && authFunc(action, b.workspace) {
+		authorized = true
+	}
+
+	if !authorized {
 		if authFunc(policy.ActionRead, b.workspace) {
 			// If the user can read the workspace, but not delete/create/update. Show
 			// a more helpful error. They are allowed to know the workspace exists.