fix: exclude prebuiltWorkspace permissions from orgAdmin role

ssncferreira · ssncferreira · commit 6cae7699273a · 2025-06-12T11:12:16.000Z
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -414,7 +414,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				}),
 				Org: map[string][]Permission{
 					// Org admins should not have workspace exec perms.
-					organizationID.String(): append(allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant, ResourceAssignRole), Permissions(map[string][]policy.Action{
+					organizationID.String(): append(allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceAssignRole), Permissions(map[string][]policy.Action{
 						ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent},
 						ResourceWorkspace.Type:        slice.Omit(ResourceWorkspace.AvailableActions(), policy.ActionApplicationConnect, policy.ActionSSH),
 					})...),
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -501,8 +501,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			Resource: rbac.ResourcePrebuiltWorkspace.WithID(uuid.New()).InOrg(orgID).WithOwner(memberMe.Actor.ID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin, orgMemberMe, templateAdmin, orgTemplateAdmin},
-				false: {setOtherOrg, userAdmin, memberMe, orgUserAdmin, orgAuditor},
+				true:  {owner, orgMemberMe, templateAdmin, orgTemplateAdmin},
+				false: {setOtherOrg, userAdmin, memberMe, orgAdmin, orgUserAdmin, orgAuditor},
 			},
 		},
 		// Some admin style resources
diff --git a/enterprise/coderd/prebuilds/claim_test.go b/enterprise/coderd/prebuilds/claim_test.go
@@ -415,18 +415,18 @@ func templateWithAgentAndPresetsWithPrebuilds(desiredInstances int32) *echo.Resp
 									Instances: desiredInstances,
 								},
 							},
-							//{
-							//	Name: "preset-b",
-							//	Parameters: []*proto.PresetParameter{
-							//		{
-							//			Name:  "k1",
-							//			Value: "v2",
-							//		},
-							//	},
-							//	Prebuild: &proto.Prebuild{
-							//		Instances: desiredInstances,
-							//	},
-							// },
+							{
+								Name: "preset-b",
+								Parameters: []*proto.PresetParameter{
+									{
+										Name:  "k1",
+										Value: "v2",
+									},
+								},
+								Prebuild: &proto.Prebuild{
+									Instances: desiredInstances,
+								},
+							},
 						},
 					},
 				},
diff --git a/enterprise/coderd/prebuilds/reconcile_test.go b/enterprise/coderd/prebuilds/reconcile_test.go
@@ -475,26 +475,11 @@ func TestTemplateAdminDelete(t *testing.T) {
 		template := coderdtest.CreateTemplate(t, client, orgID, version.ID)
 		presets, err := client.TemplateVersionPresets(ctx, version.ID)
 		require.NoError(t, err)
-		require.Len(t, presets, 1)
+		require.Len(t, presets, 2)
 		preset := setupTestDBPreset(t, db, version.ID, 2, "b0rked")
 
 		templateAdminClient, _ := coderdtest.CreateAnotherUser(t, client, orgID, rbac.RoleTemplateAdmin())
 
-		state, err := reconciler.SnapshotState(ctx, spy)
-		require.NoError(t, err)
-		require.Len(t, state.Presets, 2)
-
-		for _, preset := range presets {
-			ps, err := state.FilterByPreset(preset.ID)
-			require.NoError(t, err)
-			require.NotNil(t, ps)
-			actions, err := reconciler.CalculateActions(ctx, *ps)
-			require.NoError(t, err)
-			require.NotNil(t, actions)
-
-			require.NoError(t, reconciler.ReconcilePreset(ctx, *ps))
-		}
-
 		workspace, _ := setupTestDBPrebuild(
 			t,
 			clock,
