do not show app links to users without workspace update access

AbhineetJain · AbhineetJain · commit c05da12a7042 · 2022-06-09T18:19:14.000Z
diff --git a/site/src/components/Resources/Resources.tsx b/site/src/components/Resources/Resources.tsx
@@ -63,9 +63,10 @@ interface ResourcesProps {
   resources?: WorkspaceResource[]
   getResourcesError?: Error
   workspace: Workspace
+  canUpdateWorkspace: boolean
 }
 
-export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, workspace }) => {
+export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, workspace, canUpdateWorkspace }) => {
   const styles = useStyles()
   const theme: Theme = useTheme()
 
@@ -89,7 +90,7 @@ export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, wo
                   <AgentHelpTooltip />
                 </Stack>
               </TableCell>
-              <TableCell>{Language.accessLabel}</TableCell>
+              {canUpdateWorkspace && <TableCell>{Language.accessLabel}</TableCell>}
               <TableCell>{Language.statusLabel}</TableCell>
             </TableHeaderRow>
           </TableHead>
@@ -130,28 +131,30 @@ export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, wo
                       {agent.name}
                       <span className={styles.operatingSystem}>{agent.operating_system}</span>
                     </TableCell>
-                    <TableCell>
-                      <Stack>
-                        {agent.status === "connected" && (
-                          <TerminalLink
-                            className={styles.accessLink}
-                            workspaceName={workspace.name}
-                            agentName={agent.name}
-                            userName={workspace.owner_name}
-                          />
-                        )}
-                        {agent.status === "connected" &&
-                          agent.apps.map((app) => (
-                            <AppLink
-                              key={app.name}
-                              appIcon={app.icon}
-                              appName={app.name}
-                              userName={workspace.owner_name}
+                    {canUpdateWorkspace && (
+                      <TableCell>
+                        <Stack>
+                          {agent.status === "connected" && (
+                            <TerminalLink
+                              className={styles.accessLink}
                               workspaceName={workspace.name}
+                              agentName={agent.name}
+                              userName={workspace.owner_name}
                             />
-                          ))}
-                      </Stack>
-                    </TableCell>
+                          )}
+                          {agent.status === "connected" &&
+                            agent.apps.map((app) => (
+                              <AppLink
+                                key={app.name}
+                                appIcon={app.icon}
+                                appName={app.name}
+                                userName={workspace.owner_name}
+                                workspaceName={workspace.name}
+                              />
+                            ))}
+                        </Stack>
+                      </TableCell>
+                    )}
                     <TableCell>
                       <span style={{ color: getDisplayAgentStatus(theme, agent).color }}>
                         {getDisplayAgentStatus(theme, agent).status}
diff --git a/site/src/components/Workspace/Workspace.stories.tsx b/site/src/components/Workspace/Workspace.stories.tsx
@@ -22,6 +22,13 @@ Started.args = {
   handleStop: action("stop"),
   resources: [Mocks.MockWorkspaceResource, Mocks.MockWorkspaceResource2],
   builds: [Mocks.MockWorkspaceBuild],
+  canUpdateWorkspace: true,
+}
+
+export const WithoutUpdateAccess = Template.bind({})
+WithoutUpdateAccess.args = {
+  ...Started.args,
+  canUpdateWorkspace: false,
 }
 
 export const Starting = Template.bind({})
diff --git a/site/src/components/Workspace/Workspace.tsx b/site/src/components/Workspace/Workspace.tsx
@@ -26,6 +26,7 @@ export interface WorkspaceProps {
   resources?: TypesGen.WorkspaceResource[]
   getResourcesError?: Error
   builds?: TypesGen.WorkspaceBuild[]
+  canUpdateWorkspace: boolean
 }
 
 /**
@@ -42,6 +43,7 @@ export const Workspace: FC<WorkspaceProps> = ({
   resources,
   getResourcesError,
   builds,
+  canUpdateWorkspace,
 }) => {
   const styles = useStyles()
 
@@ -74,7 +76,12 @@ export const Workspace: FC<WorkspaceProps> = ({
 
           <WorkspaceStats workspace={workspace} />
 
-          <Resources resources={resources} getResourcesError={getResourcesError} workspace={workspace} />
+          <Resources
+            resources={resources}
+            getResourcesError={getResourcesError}
+            workspace={workspace}
+            canUpdateWorkspace={canUpdateWorkspace}
+          />
 
           <WorkspaceSection title="Timeline" contentsProps={{ className: styles.timelineContents }}>
             <BuildsTable builds={builds} className={styles.timelineTable} />
diff --git a/site/src/pages/WorkspacePage/WorkspacePage.tsx b/site/src/pages/WorkspacePage/WorkspacePage.tsx
@@ -1,5 +1,5 @@
-import { useMachine } from "@xstate/react"
-import React, { useEffect } from "react"
+import { useMachine, useSelector } from "@xstate/react"
+import React, { useContext, useEffect } from "react"
 import { Helmet } from "react-helmet"
 import { useNavigate, useParams } from "react-router-dom"
 import { DeleteWorkspaceDialog } from "../../components/DeleteWorkspaceDialog/DeleteWorkspaceDialog"
@@ -8,6 +8,8 @@ import { FullScreenLoader } from "../../components/Loader/FullScreenLoader"
 import { Workspace } from "../../components/Workspace/Workspace"
 import { firstOrItem } from "../../util/array"
 import { pageTitle } from "../../util/page"
+import { selectUser } from "../../xServices/auth/authSelectors"
+import { XServiceContext } from "../../xServices/StateContext"
 import { workspaceMachine } from "../../xServices/workspace/workspaceXService"
 import { workspaceScheduleBannerMachine } from "../../xServices/workspaceSchedule/workspaceScheduleBannerXService"
 
@@ -17,8 +19,13 @@ export const WorkspacePage: React.FC = () => {
   const username = firstOrItem(usernameQueryParam, null)
   const workspaceName = firstOrItem(workspaceQueryParam, null)
 
-  const [workspaceState, workspaceSend] = useMachine(workspaceMachine)
-  const { workspace, resources, getWorkspaceError, getResourcesError, builds } = workspaceState.context
+  const xServices = useContext(XServiceContext)
+  const me = useSelector(xServices.authXService, selectUser)
+
+  const [workspaceState, workspaceSend] = useMachine(workspaceMachine.withContext({ userId: me?.id }))
+  const { workspace, resources, getWorkspaceError, getResourcesError, builds, permissions } = workspaceState.context
+
+  const canUpdateWorkspace = !!permissions?.updateWorkspace
 
   const [bannerState, bannerSend] = useMachine(workspaceScheduleBannerMachine)
 
@@ -57,6 +64,7 @@ export const WorkspacePage: React.FC = () => {
           resources={resources}
           getResourcesError={getResourcesError instanceof Error ? getResourcesError : undefined}
           builds={builds}
+          canUpdateWorkspace={canUpdateWorkspace}
         />
         <DeleteWorkspaceDialog
           isOpen={workspaceState.matches({ ready: { build: "askingDelete" } })}
diff --git a/site/src/xServices/auth/authSelectors.ts b/site/src/xServices/auth/authSelectors.ts
@@ -10,3 +10,7 @@ export const selectOrgId = (state: AuthState): string | undefined => {
 export const selectPermissions = (state: AuthState): AuthContext["permissions"] => {
   return state.context.permissions
 }
+
+export const selectUser = (state: AuthState): AuthContext["me"] => {
+  return state.context.me
+}
diff --git a/site/src/xServices/workspace/workspaceXService.ts b/site/src/xServices/workspace/workspaceXService.ts
@@ -17,6 +17,8 @@ const Language = {
   buildError: "Workspace action failed.",
 }
 
+type Permissions = Record<keyof ReturnType<typeof permissionsToCheck>, boolean>
+
 export interface WorkspaceContext {
   workspace?: TypesGen.Workspace
   template?: TypesGen.Template
@@ -26,14 +28,18 @@ export interface WorkspaceContext {
   // error creating a new WorkspaceBuild
   buildError?: Error | unknown
   // these are separate from getX errors because they don't make the page unusable
-  refreshWorkspaceError: Error | unknown
-  refreshTemplateError: Error | unknown
-  getResourcesError: Error | unknown
+  refreshWorkspaceError?: Error | unknown
+  refreshTemplateError?: Error | unknown
+  getResourcesError?: Error | unknown
   // Builds
   builds?: TypesGen.WorkspaceBuild[]
   getBuildsError?: Error | unknown
   loadMoreBuildsError?: Error | unknown
-  cancellationMessage: string
+  cancellationMessage?: string
+  // permissions
+  permissions?: Permissions
+  checkPermissionsError?: Error | unknown
+  userId?: string
 }
 
 export type WorkspaceEvent =
@@ -48,6 +54,30 @@ export type WorkspaceEvent =
   | { type: "LOAD_MORE_BUILDS" }
   | { type: "REFRESH_TIMELINE" }
 
+export const checks = {
+  readWorkspace: "readWorkspace",
+  updateWorkspace: "updateWorkspace",
+} as const
+
+const permissionsToCheck = (workspace: TypesGen.Workspace) => ({
+  [checks.readWorkspace]: {
+    object: {
+      resource_type: "workspace",
+      resource_id: workspace.id,
+      owner_id: workspace.owner_id,
+    },
+    action: "read",
+  },
+  [checks.updateWorkspace]: {
+    object: {
+      resource_type: "workspace",
+      resource_id: workspace.id,
+      owner_id: workspace.owner_id,
+    },
+    action: "update",
+  },
+})
+
 export const workspaceMachine = createMachine(
   {
     tsTypes: {} as import("./workspaceXService.typegen").Typegen0,
@@ -82,6 +112,9 @@ export const workspaceMachine = createMachine(
         loadMoreBuilds: {
           data: TypesGen.WorkspaceBuild[]
         }
+        checkPermissions: {
+          data: TypesGen.UserAuthorizationResponse
+        }
       },
     },
     id: "workspaceState",
@@ -99,7 +132,7 @@ export const workspaceMachine = createMachine(
           src: "getWorkspace",
           id: "getWorkspace",
           onDone: {
-            target: "ready",
+            target: "gettingPermissions",
             actions: ["assignWorkspace"],
           },
           onError: {
@@ -109,6 +142,25 @@ export const workspaceMachine = createMachine(
         },
         tags: "loading",
       },
+      gettingPermissions: {
+        entry: "clearGetPermissionsError",
+        invoke: {
+          src: "checkPermissions",
+          id: "checkPermissions",
+          onDone: [
+            {
+              actions: ["assignPermissions"],
+              target: "ready",
+            },
+          ],
+          onError: [
+            {
+              actions: "assignGetPermissionsError",
+              target: "error",
+            },
+          ],
+        },
+      },
       ready: {
         type: "parallel",
         states: {
@@ -312,6 +364,7 @@ export const workspaceMachine = createMachine(
           workspace: undefined,
           template: undefined,
           build: undefined,
+          permissions: undefined,
         }),
       assignWorkspace: assign({
         workspace: (_, event) => event.data,
@@ -323,6 +376,17 @@ export const workspaceMachine = createMachine(
       assignTemplate: assign({
         template: (_, event) => event.data,
       }),
+      assignPermissions: assign({
+        // Setting event.data as Permissions to be more stricted. So we know
+        // what permissions we asked for.
+        permissions: (_, event) => event.data as Permissions,
+      }),
+      assignGetPermissionsError: assign({
+        checkPermissionsError: (_, event) => event.data,
+      }),
+      clearGetPermissionsError: assign({
+        checkPermissionsError: (_) => undefined,
+      }),
       assignBuild: (_, event) =>
         assign({
           build: event.data,
@@ -347,7 +411,7 @@ export const workspaceMachine = createMachine(
           cancellationMessage: undefined,
         }),
       displayCancellationError: (context) => {
-        displayError(context.cancellationMessage)
+        displayError(context.cancellationMessage || "Cancellation failed")
       },
       assignRefreshWorkspaceError: (_, event) =>
         assign({
@@ -487,14 +551,23 @@ export const workspaceMachine = createMachine(
         if (context.workspace) {
           return await API.getWorkspaceBuilds(context.workspace.id)
         } else {
-          throw Error("Cannot refresh workspace without id")
+          throw Error("Cannot get builds without id")
         }
       },
       loadMoreBuilds: async (context) => {
         if (context.workspace) {
           return await API.getWorkspaceBuilds(context.workspace.id)
         } else {
-          throw Error("Cannot refresh workspace without id")
+          throw Error("Cannot load more builds without id")
+        }
+      },
+      checkPermissions: async (context) => {
+        if (context.workspace && context.userId) {
+          return await API.checkUserPermissions(context.userId, {
+            checks: permissionsToCheck(context.workspace),
+          })
+        } else {
+          throw Error("Cannot check permissions without both workspace and user id")
         }
       },
     },

Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,7 @@ export const selectOrgId = (state: AuthState): string \| undefined => {`
`10`	`10`	`export const selectPermissions = (state: AuthState): AuthContext["permissions"] => {`
`11`	`11`	`return state.context.permissions`
`12`	`12`	`}`
	`13`	`+`
	`14`	`+export const selectUser = (state: AuthState): AuthContext["me"] => {`
	`15`	`+ return state.context.me`
	`16`	`+}`