coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 28 additions & 3 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 28 additions & 3 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 17 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/rbac/object_gen.go
Lines changed: 10 additions & 0 deletions b/‎coderd/rbac/object_gen.go
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/rbac/policy/policy.go
Lines changed: 7 additions & 0 deletions b/‎coderd/rbac/policy/policy.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/rbac/roles.go
Lines changed: 7 additions & 5 deletions b/‎coderd/rbac/roles.go
Lines changed: 7 additions & 5 deletions
diff --git a/‎coderd/workspacebuilds.go
Lines changed: 10 additions & 0 deletions b/‎coderd/workspacebuilds.go
Lines changed: 10 additions & 0 deletions
diff --git a/‎codersdk/rbacresources_gen.go
Lines changed: 2 additions & 0 deletions b/‎codersdk/rbacresources_gen.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎docs/reference/api/members.md
Lines changed: 5 additions & 0 deletions b/‎docs/reference/api/members.md
Lines changed: 5 additions & 0 deletions
diff --git a/‎docs/reference/api/schemas.md
Lines changed: 1 addition & 0 deletions b/‎docs/reference/api/schemas.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎enterprise/coderd/prebuilds/claim_test.go
Lines changed: 12 additions & 12 deletions b/‎enterprise/coderd/prebuilds/claim_test.go
Lines changed: 12 additions & 12 deletions
@@ -412,6 +412,9 @@ var (
 						policy.ActionCreate, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate,
 						policy.ActionWorkspaceStart, policy.ActionWorkspaceStop,
 					},
+					rbac.ResourcePrebuiltWorkspace.Type: {
+						policy.ActionRead, policy.ActionUpdate, policy.ActionDelete,
+					},
 					// Should be able to add the prebuilds system user as a member to any organization that needs prebuilds.
 					rbac.ResourceOrganizationMember.Type: {
 						policy.ActionCreate,
@@ -3909,7 +3912,14 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		action = policy.ActionWorkspaceStop
 	}
 
-	if err = q.authorizeContext(ctx, action, w); err != nil {
+	if action == policy.ActionDelete && w.IsPrebuild() {
+		if err := q.authorizeContext(ctx, action, w.PrebuildRBAC()); err != nil {
+			// Fallback to normal workspace auth check
+			if err = q.authorizeContext(ctx, action, w); err != nil {
+				return xerrors.Errorf("authorize context: %w", err)
+			}
+		}
+	} else if err = q.authorizeContext(ctx, action, w); err != nil {
 		return xerrors.Errorf("authorize context: %w", err)
 	}
 
@@ -3927,7 +3937,14 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		// to use a non-active version then we must fail the request.
 		if accessControl.RequireActiveVersion {
 			if arg.TemplateVersionID != t.ActiveVersionID {
-				if err = q.authorizeContext(ctx, policy.ActionUpdate, t); err != nil {
+				if w.IsPrebuild() {
+					if err := q.authorizeContext(ctx, policy.ActionUpdate, w.PrebuildRBAC()); err != nil {
+						// Fallback to normal workspace auth check
+						if err = q.authorizeContext(ctx, policy.ActionUpdate, t); err != nil {
+							return xerrors.Errorf("cannot use non-active version: %w", err)
+						}
+					}
+				} else if err = q.authorizeContext(ctx, policy.ActionUpdate, t); err != nil {
 					return xerrors.Errorf("cannot use non-active version: %w", err)
 				}
 			}
@@ -3949,7 +3966,15 @@ func (q *querier) InsertWorkspaceBuildParameters(ctx context.Context, arg databa
 		return err
 	}
 
-	err = q.authorizeContext(ctx, policy.ActionUpdate, workspace)
+	if workspace.IsPrebuild() {
+		err = q.authorizeContext(ctx, policy.ActionUpdate, workspace.PrebuildRBAC())
+		// Fallback to normal workspace auth check
+		if err != nil {
+			err = q.authorizeContext(ctx, policy.ActionUpdate, workspace)
+		}
+	} else {
+		err = q.authorizeContext(ctx, policy.ActionUpdate, workspace)
+	}
 	if err != nil {
 		return err
 	}
 
@@ -226,9 +226,26 @@ func (w Workspace) WorkspaceTable() WorkspaceTable {
 }
 
 func (w Workspace) RBACObject() rbac.Object {
+	// if w.IsPrebuild() {
+	//	return w.PrebuildRBAC()
+	//}
 	return w.WorkspaceTable().RBACObject()
 }
 
+func (w Workspace) IsPrebuild() bool {
+	// TODO: avoid import cycle
+	return w.OwnerID == uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0")
+}
+
+func (w Workspace) PrebuildRBAC() rbac.Object {
+	if w.IsPrebuild() {
+		return rbac.ResourcePrebuiltWorkspace.WithID(w.ID).
+			InOrg(w.OrganizationID).
+			WithOwner(w.OwnerID.String())
+	}
+	return w.RBACObject()
+}
+
 func (w WorkspaceTable) RBACObject() rbac.Object {
 	if w.DormantAt.Valid {
 		return w.DormantRBAC()
 
@@ -102,6 +102,13 @@ var RBACPermissions = map[string]PermissionDefinition{
 	"workspace_dormant": {
 		Actions: workspaceActions,
 	},
+	"prebuilt_workspace": {
+		Actions: map[Action]ActionDefinition{
+			ActionRead:   actDef("read prebuilt workspace"),
+			ActionUpdate: actDef("update prebuilt workspace"),
+			ActionDelete: actDef("delete prebuilt workspace"),
+		},
+	},
 	"workspace_proxy": {
 		Actions: map[Action]ActionDefinition{
 			ActionCreate: actDef("create a workspace proxy"),
 
@@ -335,8 +335,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			ResourceAssignOrgRole.Type: {policy.ActionRead},
 			ResourceTemplate.Type:      ResourceTemplate.AvailableActions(),
 			// CRUD all files, even those they did not upload.
-			ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
-			ResourceWorkspace.Type: {policy.ActionRead},
+			ResourceFile.Type:              {policy.ActionCreate, policy.ActionRead},
+			ResourceWorkspace.Type:         {policy.ActionRead},
+			ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			// CRUD to provisioner daemons for now.
 			ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			// Needs to read all organizations since
@@ -493,9 +494,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID.String(): Permissions(map[string][]policy.Action{
-						ResourceTemplate.Type:  ResourceTemplate.AvailableActions(),
-						ResourceFile.Type:      {policy.ActionCreate, policy.ActionRead},
-						ResourceWorkspace.Type: {policy.ActionRead},
+						ResourceTemplate.Type:          ResourceTemplate.AvailableActions(),
+						ResourceFile.Type:              {policy.ActionCreate, policy.ActionRead},
+						ResourceWorkspace.Type:         {policy.ActionRead},
+						ResourcePrebuiltWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 						// Assigning template perms requires this permission.
 						ResourceOrganization.Type:       {policy.ActionRead},
 						ResourceOrganizationMember.Type: {policy.ActionRead},
 
@@ -404,6 +404,16 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 			ctx,
 			tx,
 			func(action policy.Action, object rbac.Objecter) bool {
+				if object.RBACObject().Type == rbac.ResourceWorkspace.Type && action == policy.ActionDelete {
+					workspaceObj, ok := object.(database.Workspace)
+					if ok {
+						prebuild := workspaceObj.PrebuildRBAC()
+						// Fallback to normal workspace auth check
+						if auth := api.Authorize(r, action, prebuild); auth {
+							return auth
+						}
+					}
+				}
 				return api.Authorize(r, action, object)
 			},
 			audit.WorkspaceBuildBaggageFromRequest(r),
 
@@ -415,18 +415,18 @@ func templateWithAgentAndPresetsWithPrebuilds(desiredInstances int32) *echo.Resp
 									Instances: desiredInstances,
 								},
 							},
-							{
-								Name: "preset-b",
-								Parameters: []*proto.PresetParameter{
-									{
-										Name:  "k1",
-										Value: "v2",
-									},
-								},
-								Prebuild: &proto.Prebuild{
-									Instances: desiredInstances,
-								},
-							},
+							//{
+							//	Name: "preset-b",
+							//	Parameters: []*proto.PresetParameter{
+							//		{
+							//			Name:  "k1",
+							//			Value: "v2",
+							//		},
+							//	},
+							//	Prebuild: &proto.Prebuild{
+							//		Instances: desiredInstances,
+							//	},
+							// },
 						},
 					},
 				},