From 3796dc348351e7abe211e009550d150691d99dad Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Sat, 9 Dec 2023 00:12:11 +0000
Subject: [PATCH 1/2] fix: rebuilding workspace with require_active_version
 should return 403

---
 coderd/workspacebuilds.go                 | 2 +-
 coderd/wsbuilder/wsbuilder.go             | 2 +-
 enterprise/coderd/workspacebuilds_test.go | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
index 5025d778d83ad..bfc083c9a5d41 100644
--- a/coderd/workspacebuilds.go
+++ b/coderd/workspacebuilds.go
@@ -379,7 +379,7 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 	if xerrors.As(err, &buildErr) {
 		var authErr dbauthz.NotAuthorizedError
 		if xerrors.As(err, &authErr) {
-			buildErr.Status = http.StatusUnauthorized
+			buildErr.Status = http.StatusForbidden
 		}
 
 		if buildErr.Status == http.StatusInternalServerError {
diff --git a/coderd/wsbuilder/wsbuilder.go b/coderd/wsbuilder/wsbuilder.go
index c66c7b3d28e53..810f52502c6f8 100644
--- a/coderd/wsbuilder/wsbuilder.go
+++ b/coderd/wsbuilder/wsbuilder.go
@@ -353,7 +353,7 @@ func (b *Builder) buildTx(authFunc func(action rbac.Action, object rbac.Objecter
 		if err != nil {
 			code := http.StatusInternalServerError
 			if rbac.IsUnauthorizedError(err) {
-				code = http.StatusUnauthorized
+				code = http.StatusForbidden
 			}
 			return BuildError{code, "insert workspace build", err}
 		}
diff --git a/enterprise/coderd/workspacebuilds_test.go b/enterprise/coderd/workspacebuilds_test.go
index e90ea07e24c60..12ba9c95f964e 100644
--- a/enterprise/coderd/workspacebuilds_test.go
+++ b/enterprise/coderd/workspacebuilds_test.go
@@ -103,7 +103,7 @@ func TestWorkspaceBuild(t *testing.T) {
 			{
 				Name:               "MemberFails",
 				Client:             memberClient,
-				ExpectedStatusCode: http.StatusUnauthorized,
+				ExpectedStatusCode: http.StatusForbidden,
 			},
 		}
 

From 27e4aad6482456e342ef13ce42ad3c840485d1c5 Mon Sep 17 00:00:00 2001
From: Jon Ayers <jon@coder.com>
Date: Sat, 9 Dec 2023 00:20:56 +0000
Subject: [PATCH 2/2] fix cli

---
 cli/restart.go | 2 +-
 cli/ssh.go     | 3 ++-
 cli/start.go   | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/cli/restart.go b/cli/restart.go
index a8f7b40f2c709..211b8bcc7a0c0 100644
--- a/cli/restart.go
+++ b/cli/restart.go
@@ -63,7 +63,7 @@ func (r *RootCmd) restart() *clibase.Cmd {
 			build, err = client.CreateWorkspaceBuild(ctx, workspace.ID, startReq)
 			// It's possible for a workspace build to fail due to the template requiring starting
 			// workspaces with the active version.
-			if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusUnauthorized {
+			if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusForbidden {
 				_, _ = fmt.Fprintln(inv.Stdout, "Failed to restart with the template version from your last build. Policy may require you to restart with the current active template version.")
 				build, err = startWorkspace(inv, client, workspace, parameterFlags, WorkspaceUpdate)
 				if err != nil {
diff --git a/cli/ssh.go b/cli/ssh.go
index b51093469143d..63433ddc307f7 100644
--- a/cli/ssh.go
+++ b/cli/ssh.go
@@ -14,7 +14,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/coder/retry"
 	"github.com/gen2brain/beeep"
 	"github.com/gofrs/flock"
 	"github.com/google/uuid"
@@ -25,6 +24,8 @@ import (
 	"golang.org/x/xerrors"
 	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
 
+	"github.com/coder/retry"
+
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
 
diff --git a/cli/start.go b/cli/start.go
index d159160711ea8..d5c51ddc3ad38 100644
--- a/cli/start.go
+++ b/cli/start.go
@@ -34,7 +34,7 @@ func (r *RootCmd) start() *clibase.Cmd {
 			build, err := startWorkspace(inv, client, workspace, parameterFlags, WorkspaceStart)
 			// It's possible for a workspace build to fail due to the template requiring starting
 			// workspaces with the active version.
-			if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusUnauthorized {
+			if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusForbidden {
 				_, _ = fmt.Fprintln(inv.Stdout, "Failed to restart with the template version from your last build. Policy may require you to restart with the current active template version.")
 				build, err = startWorkspace(inv, client, workspace, parameterFlags, WorkspaceUpdate)
 				if err != nil {