chore: improve code quality and add clarifying comments

ssncferreira · ssncferreira · commit b2c7bdd86ac4 · 2025-06-17T18:18:51.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -150,6 +150,30 @@ func (q *querier) authorizeContext(ctx context.Context, action policy.Action, ob
 	return nil
 }
 
+// authorizeWorkspace handles authorization for workspace resource types.
+// prebuilt_workspaces are a subset of workspaces, currently limited to
+// supporting delete operations. Therefore, if the action is delete or
+// update and the workspace is a prebuild, a prebuilt-specific authorization
+// is attempted first. If that fails, it falls back to normal workspace
+// authorization.
+// Note: Delete operations of workspaces requires both update and delete
+// permissions.
+func (q *querier) authorizeWorkspace(ctx context.Context, action policy.Action, workspace database.Workspace) error {
+	var prebuiltErr error
+	// Special handling for prebuilt_workspace deletion authorization check
+	if (action == policy.ActionUpdate || action == policy.ActionDelete) && workspace.IsPrebuild() {
+		// Try prebuilt-specific authorization first
+		if prebuiltErr = q.authorizeContext(ctx, action, workspace.AsPrebuild()); prebuiltErr == nil {
+			return nil
+		}
+	}
+	// Fallback to normal workspace authorization check
+	if err := q.authorizeContext(ctx, action, workspace); err != nil {
+		return xerrors.Errorf("authorize context: %w", errors.Join(prebuiltErr, err))
+	}
+	return nil
+}
+
 type authContextKey struct{}
 
 // ActorFromContext returns the authorization subject from the context.
@@ -3915,15 +3939,9 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		action = policy.ActionWorkspaceStop
 	}
 
-	if action == policy.ActionDelete && w.IsPrebuild() {
-		if err := q.authorizeContext(ctx, action, w.PrebuildRBAC()); err != nil {
-			// Fallback to normal workspace auth check
-			if err = q.authorizeContext(ctx, action, w); err != nil {
-				return xerrors.Errorf("authorize context: %w", err)
-			}
-		}
-	} else if err = q.authorizeContext(ctx, action, w); err != nil {
-		return xerrors.Errorf("authorize context: %w", err)
+	// Special handling for prebuilt workspace deletion
+	if err := q.authorizeWorkspace(ctx, action, w); err != nil {
+		return err
 	}
 
 	// If we're starting a workspace we need to check the template.
@@ -3962,16 +3980,8 @@ func (q *querier) InsertWorkspaceBuildParameters(ctx context.Context, arg databa
 		return err
 	}
 
-	if workspace.IsPrebuild() {
-		err = q.authorizeContext(ctx, policy.ActionUpdate, workspace.PrebuildRBAC())
-		// Fallback to normal workspace auth check
-		if err != nil {
-			err = q.authorizeContext(ctx, policy.ActionUpdate, workspace)
-		}
-	} else {
-		err = q.authorizeContext(ctx, policy.ActionUpdate, workspace)
-	}
-	if err != nil {
+	// Special handling for prebuilt workspace deletion
+	if err := q.authorizeWorkspace(ctx, policy.ActionUpdate, workspace); err != nil {
 		return err
 	}
 
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -227,17 +227,22 @@ func (w Workspace) WorkspaceTable() WorkspaceTable {
 
 func (w Workspace) RBACObject() rbac.Object {
 	// if w.IsPrebuild() {
-	//	return w.PrebuildRBAC()
+	//	return w.AsPrebuild()
 	//}
 	return w.WorkspaceTable().RBACObject()
 }
 
+// IsPrebuild returns true if the workspace is a prebuild workspace.
+// A workspace is considered a prebuild if its owner is the prebuild system user.
 func (w Workspace) IsPrebuild() bool {
 	// TODO: avoid import cycle
 	return w.OwnerID == uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0")
 }
 
-func (w Workspace) PrebuildRBAC() rbac.Object {
+// AsPrebuild returns the RBAC object corresponding to the workspace type.
+// If the workspace is a prebuild, it returns a prebuilt_workspace RBAC object.
+// Otherwise, it returns a normal workspace RBAC object.
+func (w Workspace) AsPrebuild() rbac.Object {
 	if w.IsPrebuild() {
 		return rbac.ResourcePrebuiltWorkspace.WithID(w.ID).
 			InOrg(w.OrganizationID).
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -103,9 +103,15 @@ var RBACPermissions = map[string]PermissionDefinition{
 		Actions: workspaceActions,
 	},
 	"prebuilt_workspace": {
-		Actions: map[Action]ActionDefinition{
-			ActionRead:   actDef("read prebuilt workspace"),
-			ActionUpdate: actDef("update prebuilt workspace"),
+		// Prebuilt_workspace actions currently apply only to delete operations.
+		// To successfully delete a workspace, a user must have the following permissions:
+		//   * read: to read the current workspace state
+		//   * update: to modify workspace metadata and related resources during deletion
+		//             (e.g., updating the deleted field in the database)
+		//   * delete: to perform the actual deletion of the workspace
+		Actions: map[Action]ActionDefinition{
+			ActionRead:   actDef("read prebuilt workspace data"),
+			ActionUpdate: actDef("update prebuilt workspace settings"),
 			ActionDelete: actDef("delete prebuilt workspace"),
 		},
 	},
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
@@ -404,16 +404,16 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 			ctx,
 			tx,
 			func(action policy.Action, object rbac.Objecter) bool {
+				// Special handling for prebuilt workspace deletion
 				if object.RBACObject().Type == rbac.ResourceWorkspace.Type && action == policy.ActionDelete {
-					workspaceObj, ok := object.(database.Workspace)
-					if ok {
-						prebuild := workspaceObj.PrebuildRBAC()
-						// Fallback to normal workspace auth check
-						if auth := api.Authorize(r, action, prebuild); auth {
+					if workspaceObj, ok := object.(database.Workspace); ok {
+						// Try prebuilt-specific authorization first
+						if auth := api.Authorize(r, action, workspaceObj.AsPrebuild()); auth {
 							return auth
 						}
 					}
 				}
+				// Fallback to default authorization
 				return api.Authorize(r, action, object)
 			},
 			audit.WorkspaceBuildBaggageFromRequest(r),
diff --git a/site/src/api/rbacresourcesGenerated.ts b/site/src/api/rbacresourcesGenerated.ts
@@ -125,8 +125,8 @@ export const RBACResourceActions: Partial<
 	},
 	prebuilt_workspace: {
 		delete: "delete prebuilt workspace",
-		read: "read prebuilt workspace",
-		update: "update prebuilt workspace",
+		read: "read prebuilt workspace data",
+		update: "update prebuilt workspace settings",
 	},
 	provisioner_daemon: {
 		create: "create a provisioner daemon/key",
