coder
diff --git a/‎cli/server.go
+1-1 b/‎cli/server.go
+1-1
diff --git a/‎cli/templates.go
-2 b/‎cli/templates.go
-2
diff --git a/‎cli/templateversionarchive.go
-2 b/‎cli/templateversionarchive.go
-2
diff --git a/‎cli/templateversions.go
-2 b/‎cli/templateversions.go
-2
diff --git a/‎coderd/apidoc/docs.go
+8 b/‎coderd/apidoc/docs.go
+8
diff --git a/‎coderd/apidoc/swagger.json
+8 b/‎coderd/apidoc/swagger.json
+8
diff --git a/‎coderd/autobuild/lifecycle_executor.go
+14-2 b/‎coderd/autobuild/lifecycle_executor.go
+14-2
diff --git a/‎coderd/autobuild/lifecycle_executor_test.go
+50 b/‎coderd/autobuild/lifecycle_executor_test.go
+50
diff --git a/‎coderd/coderd.go
+14 b/‎coderd/coderd.go
+14
diff --git a/‎coderd/coderdtest/coderdtest.go
+15-4 b/‎coderd/coderdtest/coderdtest.go
+15-4
diff --git a/‎coderd/database/dbauthz/accesscontrol.go
+37 b/‎coderd/database/dbauthz/accesscontrol.go
+37
@@ -940,7 +940,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			autobuildTicker := time.NewTicker(vals.AutobuildPollInterval.Value())
 			defer autobuildTicker.Stop()
 			autobuildExecutor := autobuild.NewExecutor(
-				ctx, options.Database, options.Pubsub, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, logger, autobuildTicker.C)
+				ctx, options.Database, options.Pubsub, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, logger, autobuildTicker.C)
 			autobuildExecutor.Run()
 
 			hangDetectorTicker := time.NewTicker(vals.JobHangDetectorInterval.Value())
 
@@ -6,8 +6,6 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
-	"github.com/coder/pretty"
-
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
 
@@ -8,8 +8,6 @@ import (
 
 	"golang.org/x/xerrors"
 
-	"github.com/coder/pretty"
-
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
 
@@ -8,8 +8,6 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
-	"github.com/coder/pretty"
-
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
 
@@ -32,6 +32,7 @@ type Executor struct {
 	db                    database.Store
 	ps                    pubsub.Pubsub
 	templateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]
+	accessControlStore    *atomic.Pointer[dbauthz.AccessControlStore]
 	auditor               *atomic.Pointer[audit.Auditor]
 	log                   slog.Logger
 	tick                  <-chan time.Time
@@ -46,7 +47,7 @@ type Stats struct {
 }
 
 // New returns a new wsactions executor.
-func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], log slog.Logger, tick <-chan time.Time) *Executor {
+func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], log slog.Logger, tick <-chan time.Time) *Executor {
 	le := &Executor{
 		//nolint:gocritic // Autostart has a limited set of permissions.
 		ctx:                   dbauthz.AsAutostart(ctx),
@@ -56,6 +57,7 @@ func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, tss *
 		tick:                  tick,
 		log:                   log.Named("autobuild"),
 		auditor:               auditor,
+		accessControlStore:    acs,
 	}
 	return le
 }
@@ -159,6 +161,12 @@ func (e *Executor) runOnce(t time.Time) Stats {
 					return nil
 				}
 
+				template, err := tx.GetTemplateByID(e.ctx, ws.TemplateID)
+				if err != nil {
+					log.Warn(e.ctx, "get template by id", slog.Error(err))
+				}
+				accessControl := (*(e.accessControlStore.Load())).GetTemplateAccessControl(template)
+
 				latestJob, err := tx.GetProvisionerJobByID(e.ctx, latestBuild.JobID)
 				if err != nil {
 					log.Warn(e.ctx, "get last provisioner job for workspace %q: %w", slog.Error(err))
@@ -179,7 +187,7 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						Reason(reason)
 					log.Debug(e.ctx, "auto building workspace", slog.F("transition", nextTransition))
 					if nextTransition == database.WorkspaceTransitionStart &&
-						ws.AutomaticUpdates == database.AutomaticUpdatesAlways {
+						useActiveVersion(accessControl, ws) {
 						log.Debug(e.ctx, "autostarting with active version")
 						builder = builder.ActiveVersion()
 					}
@@ -470,3 +478,7 @@ func auditBuild(ctx context.Context, log slog.Logger, auditor audit.Auditor, par
 		AdditionalFields: raw,
 	})
 }
+
+func useActiveVersion(opts dbauthz.TemplateAccessControl, ws database.Workspace) bool {
+	return opts.RequireActiveVersion || ws.AutomaticUpdates == database.AutomaticUpdatesAlways
+}
@@ -783,6 +783,56 @@ func TestExecutorAutostopTemplateDisabled(t *testing.T) {
 	assert.Len(t, stats.Transitions, 0)
 }
 
+// Test that an AGPL AccessControlStore properly disables
+// functionality.
+func TestExecutorRequireActiveVersion(t *testing.T) {
+	t.Parallel()
+
+	var (
+		sched  = mustSchedule(t, "CRON_TZ=UTC 0 * * * *")
+		ticker = make(chan time.Time)
+		statCh = make(chan autobuild.Stats)
+
+		ownerClient = coderdtest.New(t, &coderdtest.Options{
+			AutobuildTicker:          ticker,
+			IncludeProvisionerDaemon: true,
+			AutobuildStats:           statCh,
+			TemplateScheduleStore:    schedule.NewAGPLTemplateScheduleStore(),
+		})
+	)
+	owner := coderdtest.CreateFirstUser(t, ownerClient)
+
+	// Create an active and inactive template version. We'll
+	// build a regular member's workspace using a non-active
+	// template version and assert that the field is not abided
+	// since there is no enterprise license.
+	activeVersion := coderdtest.CreateTemplateVersion(t, ownerClient, owner.OrganizationID, nil)
+	template := coderdtest.CreateTemplate(t, ownerClient, owner.OrganizationID, activeVersion.ID, func(ctr *codersdk.CreateTemplateRequest) {
+		ctr.RequireActiveVersion = true
+		ctr.VersionID = activeVersion.ID
+	})
+	inactiveVersion := coderdtest.CreateTemplateVersion(t, ownerClient, owner.OrganizationID, nil, func(ctvr *codersdk.CreateTemplateVersionRequest) {
+		ctvr.TemplateID = template.ID
+	})
+	coderdtest.AwaitTemplateVersionJobCompleted(t, ownerClient, activeVersion.ID)
+	memberClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID)
+	ws := coderdtest.CreateWorkspace(t, memberClient, owner.OrganizationID, uuid.Nil, func(cwr *codersdk.CreateWorkspaceRequest) {
+		cwr.TemplateVersionID = inactiveVersion.ID
+		cwr.AutostartSchedule = ptr.Ref(sched.String())
+	})
+	_ = coderdtest.AwaitWorkspaceBuildJobCompleted(t, ownerClient, ws.LatestBuild.ID)
+	ws = coderdtest.MustTransitionWorkspace(t, memberClient, ws.ID, database.WorkspaceTransitionStart, database.WorkspaceTransitionStop, func(req *codersdk.CreateWorkspaceBuildRequest) {
+		req.TemplateVersionID = inactiveVersion.ID
+	})
+	require.Equal(t, inactiveVersion.ID, ws.LatestBuild.TemplateVersionID)
+	ticker <- sched.Next(ws.LatestBuild.CreatedAt)
+	stats := <-statCh
+	require.Len(t, stats.Transitions, 1)
+
+	ws = coderdtest.MustWorkspace(t, memberClient, ws.ID)
+	require.Equal(t, inactiveVersion.ID, ws.LatestBuild.TemplateVersionID)
+}
+
 // TestExecutorFailedWorkspace test AGPL functionality which mainly
 // ensures that autostop actions as a result of a failed workspace
 // build do not trigger.
 
@@ -131,6 +131,7 @@ type Options struct {
 	SetUserSiteRoles            func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, roles []string) error
 	TemplateScheduleStore       *atomic.Pointer[schedule.TemplateScheduleStore]
 	UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
+	AccessControlStore          *atomic.Pointer[dbauthz.AccessControlStore]
 	// AppSecurityKey is the crypto key used to sign and encrypt tokens related to
 	// workspace applications. It consists of both a signing and encryption key.
 	AppSecurityKey     workspaceapps.SecurityKey
@@ -208,11 +209,20 @@ func New(options *Options) *API {
 	if options.Authorizer == nil {
 		options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
 	}
+
+	if options.AccessControlStore == nil {
+		options.AccessControlStore = &atomic.Pointer[dbauthz.AccessControlStore]{}
+		var tacs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
+		options.AccessControlStore.Store(&tacs)
+	}
+
 	options.Database = dbauthz.New(
 		options.Database,
 		options.Authorizer,
 		options.Logger.Named("authz_querier"),
+		options.AccessControlStore,
 	)
+
 	experiments := ReadExperiments(
 		options.Logger, options.DeploymentValues.Experiments.Value(),
 	)
@@ -369,6 +379,7 @@ func New(options *Options) *API {
 		Auditor:                     atomic.Pointer[audit.Auditor]{},
 		TemplateScheduleStore:       options.TemplateScheduleStore,
 		UserQuietHoursScheduleStore: options.UserQuietHoursScheduleStore,
+		AccessControlStore:          options.AccessControlStore,
 		Experiments:                 experiments,
 		healthCheckGroup:            &singleflight.Group[string, *healthcheck.Report]{},
 		Acquirer: provisionerdserver.NewAcquirer(
@@ -1008,6 +1019,9 @@ type API struct {
 	UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
 	// DERPMapper mutates the DERPMap to include workspace proxies.
 	DERPMapper atomic.Pointer[func(derpMap *tailcfg.DERPMap) *tailcfg.DERPMap]
+	// AccessControlStore is a pointer to an atomic pointer since it is
+	// passed to dbauthz.
+	AccessControlStore *atomic.Pointer[dbauthz.AccessControlStore]
 
 	HTTPAuth *HTTPAuthorizer
 
 
@@ -218,7 +218,6 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 
 	if options.Database == nil {
 		options.Database, options.Pubsub = dbtestutil.NewDB(t)
-		options.Database = dbauthz.New(options.Database, options.Authorizer, options.Logger.Leveled(slog.LevelDebug))
 	}
 
 	// Some routes expect a deployment ID, so just make sure one exists.
@@ -260,6 +259,10 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		t.Cleanup(closeBatcher)
 	}
 
+	accessControlStore := &atomic.Pointer[dbauthz.AccessControlStore]{}
+	var acs dbauthz.AccessControlStore = dbauthz.AGPLTemplateAccessControlStore{}
+	accessControlStore.Store(&acs)
+
 	var templateScheduleStore atomic.Pointer[schedule.TemplateScheduleStore]
 	if options.TemplateScheduleStore == nil {
 		options.TemplateScheduleStore = schedule.NewAGPLTemplateScheduleStore()
@@ -279,6 +282,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		options.Pubsub,
 		&templateScheduleStore,
 		&auditor,
+		accessControlStore,
 		*options.Logger,
 		options.AutobuildTicker,
 	).WithStatsChannel(options.AutobuildStats)
@@ -416,6 +420,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 			Authorizer:                         options.Authorizer,
 			Telemetry:                          telemetry.NewNoop(),
 			TemplateScheduleStore:              &templateScheduleStore,
+			AccessControlStore:                 accessControlStore,
 			TLSCertificates:                    options.TLSCertificates,
 			TrialGenerator:                     options.TrialGenerator,
 			TailnetCoordinator:                 options.Coordinator,
@@ -915,7 +920,7 @@ func CreateWorkspace(t testing.TB, client *codersdk.Client, organization uuid.UU
 }
 
 // TransitionWorkspace is a convenience method for transitioning a workspace from one state to another.
-func MustTransitionWorkspace(t testing.TB, client *codersdk.Client, workspaceID uuid.UUID, from, to database.WorkspaceTransition) codersdk.Workspace {
+func MustTransitionWorkspace(t testing.TB, client *codersdk.Client, workspaceID uuid.UUID, from, to database.WorkspaceTransition, muts ...func(req *codersdk.CreateWorkspaceBuildRequest)) codersdk.Workspace {
 	t.Helper()
 	ctx := context.Background()
 	workspace, err := client.Workspace(ctx, workspaceID)
@@ -925,10 +930,16 @@ func MustTransitionWorkspace(t testing.TB, client *codersdk.Client, workspaceID
 	template, err := client.Template(ctx, workspace.TemplateID)
 	require.NoError(t, err, "fetch workspace template")
 
-	build, err := client.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+	req := codersdk.CreateWorkspaceBuildRequest{
 		TemplateVersionID: template.ActiveVersionID,
 		Transition:        codersdk.WorkspaceTransition(to),
-	})
+	}
+
+	for _, mut := range muts {
+		mut(&req)
+	}
+
+	build, err := client.CreateWorkspaceBuild(ctx, workspace.ID, req)
 	require.NoError(t, err, "unexpected error transitioning workspace to %s", to)
 
 	_ = AwaitWorkspaceBuildJobCompleted(t, client, build.ID)
 
@@ -0,0 +1,37 @@
+package dbauthz
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+
+	"github.com/coder/coder/v2/coderd/database"
+)
+
+// AccessControlStore fetches access control-related configuration
+// that is used when determining whether an actor is authorized
+// to interact with an RBAC object.
+type AccessControlStore interface {
+	GetTemplateAccessControl(t database.Template) TemplateAccessControl
+	SetTemplateAccessControl(ctx context.Context, store database.Store, id uuid.UUID, opts TemplateAccessControl) error
+}
+
+type TemplateAccessControl struct {
+	RequireActiveVersion bool
+}
+
+// AGPLTemplateAccessControlStore always returns the defaults for access control
+// settings.
+type AGPLTemplateAccessControlStore struct{}
+
+var _ AccessControlStore = AGPLTemplateAccessControlStore{}
+
+func (AGPLTemplateAccessControlStore) GetTemplateAccessControl(database.Template) TemplateAccessControl {
+	return TemplateAccessControl{
+		RequireActiveVersion: false,
+	}
+}
+
+func (AGPLTemplateAccessControlStore) SetTemplateAccessControl(context.Context, database.Store, uuid.UUID, TemplateAccessControl) error {
+	return nil
+}