From 36d9f5ddb3d98029fee07d004709e1e51022e979 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Mon, 24 Feb 2025 13:53:10 -0600
Subject: [PATCH 01/10] feat: implement WorkspaceCreationBan org role

Using negative permissions, this role prevents a user's ability
to create & delete a workspace within a given organization.

Workspaces are uniquely owned by an org and a user, so the org
has to supercede the user permission with a negative permission.
---
 coderd/rbac/roles.go | 107 +++++++++++++++++++++++++++++--------------
 1 file changed, 72 insertions(+), 35 deletions(-)

diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
index 7c733016430fe..440494450e2d1 100644
--- a/coderd/rbac/roles.go
+++ b/coderd/rbac/roles.go
@@ -27,11 +27,12 @@ const (
 	customSiteRole         string = "custom-site-role"
 	customOrganizationRole string = "custom-organization-role"
 
-	orgAdmin         string = "organization-admin"
-	orgMember        string = "organization-member"
-	orgAuditor       string = "organization-auditor"
-	orgUserAdmin     string = "organization-user-admin"
-	orgTemplateAdmin string = "organization-template-admin"
+	orgAdmin                string = "organization-admin"
+	orgMember               string = "organization-member"
+	orgAuditor              string = "organization-auditor"
+	orgUserAdmin            string = "organization-user-admin"
+	orgTemplateAdmin        string = "organization-template-admin"
+	orgWorkspaceCreationBan string = "organization-workspace-creation-ban"
 )
 
 func init() {
@@ -159,6 +160,10 @@ func RoleOrgTemplateAdmin() string {
 	return orgTemplateAdmin
 }
 
+func RoleOrgWorkspaceCreationBan() string {
+	return orgWorkspaceCreationBan
+}
+
 // ScopedRoleOrgAdmin is the org role with the organization ID
 func ScopedRoleOrgAdmin(organizationID uuid.UUID) RoleIdentifier {
 	return RoleIdentifier{Name: RoleOrgAdmin(), OrganizationID: organizationID}
@@ -181,6 +186,10 @@ func ScopedRoleOrgTemplateAdmin(organizationID uuid.UUID) RoleIdentifier {
 	return RoleIdentifier{Name: RoleOrgTemplateAdmin(), OrganizationID: organizationID}
 }
 
+func ScopedRoleOrgWorkspaceCreationBan(organizationID uuid.UUID) RoleIdentifier {
+	return RoleIdentifier{Name: RoleOrgWorkspaceCreationBan(), OrganizationID: organizationID}
+}
+
 func allPermsExcept(excepts ...Objecter) []Permission {
 	resources := AllResources()
 	var perms []Permission
@@ -496,6 +505,31 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				User: []Permission{},
 			}
 		},
+		// orgWorkspaceCreationBan prevents creating & deleting workspaces. This
+		// overrides any permissions granted by the org or user level. It accomplishes
+		// this by using negative permissions.
+		orgWorkspaceCreationBan: func(organizationID uuid.UUID) Role {
+			return Role{
+				Identifier:  RoleIdentifier{Name: orgWorkspaceCreationBan, OrganizationID: organizationID},
+				DisplayName: "Organization Workspace Creation Ban",
+				Site:        []Permission{},
+				Org: map[string][]Permission{
+					organizationID.String(): {
+						{
+							Negate:       true,
+							ResourceType: ResourceWorkspace.Type,
+							Action:       policy.ActionCreate,
+						},
+						{
+							Negate:       true,
+							ResourceType: ResourceWorkspace.Type,
+							Action:       policy.ActionDelete,
+						},
+					},
+				},
+				User: []Permission{},
+			}
+		},
 	}
 }
 
@@ -506,44 +540,47 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 //	map[actor_role][assign_role]<can_assign>
 var assignRoles = map[string]map[string]bool{
 	"system": {
-		owner:                  true,
-		auditor:                true,
-		member:                 true,
-		orgAdmin:               true,
-		orgMember:              true,
-		orgAuditor:             true,
-		orgUserAdmin:           true,
-		orgTemplateAdmin:       true,
-		templateAdmin:          true,
-		userAdmin:              true,
-		customSiteRole:         true,
-		customOrganizationRole: true,
+		owner:                   true,
+		auditor:                 true,
+		member:                  true,
+		orgAdmin:                true,
+		orgMember:               true,
+		orgAuditor:              true,
+		orgUserAdmin:            true,
+		orgTemplateAdmin:        true,
+		orgWorkspaceCreationBan: true,
+		templateAdmin:           true,
+		userAdmin:               true,
+		customSiteRole:          true,
+		customOrganizationRole:  true,
 	},
 	owner: {
-		owner:                  true,
-		auditor:                true,
-		member:                 true,
-		orgAdmin:               true,
-		orgMember:              true,
-		orgAuditor:             true,
-		orgUserAdmin:           true,
-		orgTemplateAdmin:       true,
-		templateAdmin:          true,
-		userAdmin:              true,
-		customSiteRole:         true,
-		customOrganizationRole: true,
+		owner:                   true,
+		auditor:                 true,
+		member:                  true,
+		orgAdmin:                true,
+		orgMember:               true,
+		orgAuditor:              true,
+		orgUserAdmin:            true,
+		orgTemplateAdmin:        true,
+		orgWorkspaceCreationBan: true,
+		templateAdmin:           true,
+		userAdmin:               true,
+		customSiteRole:          true,
+		customOrganizationRole:  true,
 	},
 	userAdmin: {
 		member:    true,
 		orgMember: true,
 	},
 	orgAdmin: {
-		orgAdmin:               true,
-		orgMember:              true,
-		orgAuditor:             true,
-		orgUserAdmin:           true,
-		orgTemplateAdmin:       true,
-		customOrganizationRole: true,
+		orgAdmin:                true,
+		orgMember:               true,
+		orgAuditor:              true,
+		orgUserAdmin:            true,
+		orgTemplateAdmin:        true,
+		orgWorkspaceCreationBan: true,
+		customOrganizationRole:  true,
 	},
 	orgUserAdmin: {
 		orgMember: true,

From 1b998d01fc99275362e385bc052e6f790da2ac96 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Mon, 24 Feb 2025 14:21:33 -0600
Subject: [PATCH 02/10] fixup unit test listing roles

---
 coderd/rbac/roles_test.go       |  1 +
 codersdk/rbacroles.go           | 11 ++++++-----
 enterprise/coderd/roles_test.go | 27 +++++++++++++++------------
 3 files changed, 22 insertions(+), 17 deletions(-)

diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
index 1ac2c4c9e0796..c21c144c81632 100644
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@@ -951,6 +951,7 @@ func TestListRoles(t *testing.T) {
 		fmt.Sprintf("organization-auditor:%s", orgID.String()),
 		fmt.Sprintf("organization-user-admin:%s", orgID.String()),
 		fmt.Sprintf("organization-template-admin:%s", orgID.String()),
+		fmt.Sprintf("organization-workspace-creation-ban:%s", orgID.String()),
 	},
 		orgRoleNames)
 }
diff --git a/codersdk/rbacroles.go b/codersdk/rbacroles.go
index 49ed5c5b73176..7721eacbd5624 100644
--- a/codersdk/rbacroles.go
+++ b/codersdk/rbacroles.go
@@ -8,9 +8,10 @@ const (
 	RoleUserAdmin     string = "user-admin"
 	RoleAuditor       string = "auditor"
 
-	RoleOrganizationAdmin         string = "organization-admin"
-	RoleOrganizationMember        string = "organization-member"
-	RoleOrganizationAuditor       string = "organization-auditor"
-	RoleOrganizationTemplateAdmin string = "organization-template-admin"
-	RoleOrganizationUserAdmin     string = "organization-user-admin"
+	RoleOrganizationAdmin                string = "organization-admin"
+	RoleOrganizationMember               string = "organization-member"
+	RoleOrganizationAuditor              string = "organization-auditor"
+	RoleOrganizationTemplateAdmin        string = "organization-template-admin"
+	RoleOrganizationUserAdmin            string = "organization-user-admin"
+	RoleOrganizationWorkspaceCreationBan string = "organization-workspace-creation-ban"
 )
diff --git a/enterprise/coderd/roles_test.go b/enterprise/coderd/roles_test.go
index 8bbf9218058e7..57b66a368248c 100644
--- a/enterprise/coderd/roles_test.go
+++ b/enterprise/coderd/roles_test.go
@@ -441,10 +441,11 @@ func TestListRoles(t *testing.T) {
 				return member.ListOrganizationRoles(ctx, owner.OrganizationID)
 			},
 			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
-				{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}:         false,
-				{Name: codersdk.RoleOrganizationAuditor, OrganizationID: owner.OrganizationID}:       false,
-				{Name: codersdk.RoleOrganizationTemplateAdmin, OrganizationID: owner.OrganizationID}: false,
-				{Name: codersdk.RoleOrganizationUserAdmin, OrganizationID: owner.OrganizationID}:     false,
+				{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}:                false,
+				{Name: codersdk.RoleOrganizationAuditor, OrganizationID: owner.OrganizationID}:              false,
+				{Name: codersdk.RoleOrganizationTemplateAdmin, OrganizationID: owner.OrganizationID}:        false,
+				{Name: codersdk.RoleOrganizationUserAdmin, OrganizationID: owner.OrganizationID}:            false,
+				{Name: codersdk.RoleOrganizationWorkspaceCreationBan, OrganizationID: owner.OrganizationID}: false,
 			}),
 		},
 		{
@@ -473,10 +474,11 @@ func TestListRoles(t *testing.T) {
 				return orgAdmin.ListOrganizationRoles(ctx, owner.OrganizationID)
 			},
 			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
-				{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}:         true,
-				{Name: codersdk.RoleOrganizationAuditor, OrganizationID: owner.OrganizationID}:       true,
-				{Name: codersdk.RoleOrganizationTemplateAdmin, OrganizationID: owner.OrganizationID}: true,
-				{Name: codersdk.RoleOrganizationUserAdmin, OrganizationID: owner.OrganizationID}:     true,
+				{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}:                true,
+				{Name: codersdk.RoleOrganizationAuditor, OrganizationID: owner.OrganizationID}:              true,
+				{Name: codersdk.RoleOrganizationTemplateAdmin, OrganizationID: owner.OrganizationID}:        true,
+				{Name: codersdk.RoleOrganizationUserAdmin, OrganizationID: owner.OrganizationID}:            true,
+				{Name: codersdk.RoleOrganizationWorkspaceCreationBan, OrganizationID: owner.OrganizationID}: true,
 			}),
 		},
 		{
@@ -505,10 +507,11 @@ func TestListRoles(t *testing.T) {
 				return client.ListOrganizationRoles(ctx, owner.OrganizationID)
 			},
 			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
-				{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}:         true,
-				{Name: codersdk.RoleOrganizationAuditor, OrganizationID: owner.OrganizationID}:       true,
-				{Name: codersdk.RoleOrganizationTemplateAdmin, OrganizationID: owner.OrganizationID}: true,
-				{Name: codersdk.RoleOrganizationUserAdmin, OrganizationID: owner.OrganizationID}:     true,
+				{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}:                true,
+				{Name: codersdk.RoleOrganizationAuditor, OrganizationID: owner.OrganizationID}:              true,
+				{Name: codersdk.RoleOrganizationTemplateAdmin, OrganizationID: owner.OrganizationID}:        true,
+				{Name: codersdk.RoleOrganizationUserAdmin, OrganizationID: owner.OrganizationID}:            true,
+				{Name: codersdk.RoleOrganizationWorkspaceCreationBan, OrganizationID: owner.OrganizationID}: true,
 			}),
 		},
 	}

From 41148d9a0675abf6f1dfc2be44a9f0aefe459815 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Mon, 24 Feb 2025 14:50:14 -0600
Subject: [PATCH 03/10] test: add unit test for workspace ban role

---
 coderd/httpapi/httpapi.go      | 10 +++++---
 coderd/workspaces_test.go      | 47 ++++++++++++++++++++++++++++++++++
 coderd/wsbuilder/wsbuilder.go  |  9 +++++++
 site/src/api/typesGenerated.ts |  4 +++
 4 files changed, 66 insertions(+), 4 deletions(-)

diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go
index a9687d58a0604..d5895dcbf86f0 100644
--- a/coderd/httpapi/httpapi.go
+++ b/coderd/httpapi/httpapi.go
@@ -151,11 +151,13 @@ func ResourceNotFound(rw http.ResponseWriter) {
 	Write(context.Background(), rw, http.StatusNotFound, ResourceNotFoundResponse)
 }
 
+var ResourceForbiddenResponse = codersdk.Response{
+	Message: "Forbidden.",
+	Detail:  "You don't have permission to view this content. If you believe this is a mistake, please contact your administrator or try signing in with different credentials.",
+}
+
 func Forbidden(rw http.ResponseWriter) {
-	Write(context.Background(), rw, http.StatusForbidden, codersdk.Response{
-		Message: "Forbidden.",
-		Detail:  "You don't have permission to view this content. If you believe this is a mistake, please contact your administrator or try signing in with different credentials.",
-	})
+	Write(context.Background(), rw, http.StatusForbidden, ResourceForbiddenResponse)
 }
 
 func InternalServerError(rw http.ResponseWriter, err error) {
diff --git a/coderd/workspaces_test.go b/coderd/workspaces_test.go
index 7a81d5192668f..34ef8a2517af8 100644
--- a/coderd/workspaces_test.go
+++ b/coderd/workspaces_test.go
@@ -375,6 +375,53 @@ func TestWorkspace(t *testing.T) {
 		require.Error(t, err, "create workspace with archived version")
 		require.ErrorContains(t, err, "Archived template versions cannot")
 	})
+
+	t.Run("WorkspaceBan", func(t *testing.T) {
+		t.Parallel()
+		owner, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		first := coderdtest.CreateFirstUser(t, owner)
+
+		version := coderdtest.CreateTemplateVersion(t, owner, first.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, owner, version.ID)
+		template := coderdtest.CreateTemplate(t, owner, first.OrganizationID, version.ID)
+
+		goodClient, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)
+
+		// When a user with workspace-creation-ban
+		client, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgWorkspaceCreationBan(first.OrganizationID))
+
+		// Ensure a similar user can create a workspace
+		coderdtest.CreateWorkspace(t, goodClient, template.ID)
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		// Then: Cannot create a workspace
+		_, err := client.CreateUserWorkspace(ctx, codersdk.Me, codersdk.CreateWorkspaceRequest{
+			TemplateID:        template.ID,
+			TemplateVersionID: uuid.UUID{},
+			Name:              "random",
+		})
+		require.Error(t, err)
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+
+		// When: workspace-ban use has a workspace
+		wrk, err := owner.CreateUserWorkspace(ctx, user.ID.String(), codersdk.CreateWorkspaceRequest{
+			TemplateID:        template.ID,
+			TemplateVersionID: uuid.UUID{},
+			Name:              "random",
+		})
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, wrk.LatestBuild.ID)
+
+		// Then: They cannot delete said workspace
+		_, err = client.CreateWorkspaceBuild(ctx, wrk.ID, codersdk.CreateWorkspaceBuildRequest{
+			Transition:       codersdk.WorkspaceTransitionDelete,
+			ProvisionerState: []byte{},
+		})
+		require.Error(t, err)
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
 }
 
 func TestResolveAutostart(t *testing.T) {
diff --git a/coderd/wsbuilder/wsbuilder.go b/coderd/wsbuilder/wsbuilder.go
index a31e5eff4686a..f6d6d7381a24f 100644
--- a/coderd/wsbuilder/wsbuilder.go
+++ b/coderd/wsbuilder/wsbuilder.go
@@ -790,6 +790,15 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje
 		return BuildError{http.StatusBadRequest, msg, xerrors.New(msg)}
 	}
 	if !authFunc(action, b.workspace) {
+		if authFunc(policy.ActionRead, b.workspace) {
+			// If the user can read the workspace, but not delete/create/update. Show
+			// a more helpful error. They are allowed to know the workspace exists.
+			return BuildError{
+				Status:  http.StatusForbidden,
+				Message: fmt.Sprintf("You do not have permission to %s this workspace.", action),
+				Wrapped: xerrors.New(httpapi.ResourceForbiddenResponse.Detail),
+			}
+		}
 		// We use the same wording as the httpapi to avoid leaking the existence of the workspace
 		return BuildError{http.StatusNotFound, httpapi.ResourceNotFoundResponse.Message, xerrors.New(httpapi.ResourceNotFoundResponse.Message)}
 	}
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
index d335cce7732f2..da67985826aed 100644
--- a/site/src/api/typesGenerated.ts
+++ b/site/src/api/typesGenerated.ts
@@ -2095,6 +2095,10 @@ export const RoleOrganizationTemplateAdmin = "organization-template-admin";
 // From codersdk/rbacroles.go
 export const RoleOrganizationUserAdmin = "organization-user-admin";
 
+// From codersdk/rbacroles.go
+export const RoleOrganizationWorkspaceCreationBan =
+	"organization-workspace-creation-ban";
+
 // From codersdk/rbacroles.go
 export const RoleOwner = "owner";
 

From a3f3837a78ef7de3d433a0c33130c524ef8f8474 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Mon, 24 Feb 2025 14:52:36 -0600
Subject: [PATCH 04/10] add role perm assertions

---
 coderd/rbac/roles_test.go | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
index c21c144c81632..859afea0b4050 100644
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@@ -112,6 +112,7 @@ func TestRolePermissions(t *testing.T) {
 	// Subjects to user
 	memberMe := authSubject{Name: "member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember()}}}
 	orgMemberMe := authSubject{Name: "org_member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgMember(orgID)}}}
+	orgMemberMeBanWorkspace := authSubject{Name: "org_member_me_workspace_ban", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgMember(orgID), rbac.ScopedRoleOrgWorkspaceCreationBan(orgID)}}}
 	groupMemberMe := authSubject{Name: "group_member_me", Actor: rbac.Subject{ID: currentUser.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.ScopedRoleOrgMember(orgID)}, Groups: []string{groupID.String()}}}
 
 	owner := authSubject{Name: "owner", Actor: rbac.Subject{ID: adminID.String(), Roles: rbac.RoleIdentifiers{rbac.RoleMember(), rbac.RoleOwner()}}}
@@ -181,20 +182,30 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgMemberMe, orgAdmin, templateAdmin, orgTemplateAdmin},
+				true:  {owner, orgMemberMe, orgAdmin, templateAdmin, orgTemplateAdmin, orgMemberMeBanWorkspace},
 				false: {setOtherOrg, memberMe, userAdmin, orgAuditor, orgUserAdmin},
 			},
 		},
 		{
-			Name: "C_RDMyWorkspaceInOrg",
+			Name: "UpdateMyWorkspaceInOrg",
 			// When creating the WithID won't be set, but it does not change the result.
-			Actions:  []policy.Action{policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+			Actions:  []policy.Action{policy.ActionUpdate},
 			Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true:  {owner, orgMemberMe, orgAdmin},
 				false: {setOtherOrg, memberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
 			},
 		},
+		{
+			Name: "C__DMyWorkspaceInOrg",
+			// When creating the WithID won't be set, but it does not change the result.
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionDelete},
+			Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true:  {owner, orgMemberMe, orgAdmin},
+				false: {setOtherOrg, memberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor, orgMemberMeBanWorkspace},
+			},
+		},
 		{
 			Name: "MyWorkspaceInOrgExecution",
 			// When creating the WithID won't be set, but it does not change the result.

From 59e1eb1740c3467ea17c3c8bfced3d318e664879 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Mon, 24 Feb 2025 14:58:51 -0600
Subject: [PATCH 05/10] fixup lint

---
 coderd/workspaces_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/coderd/workspaces_test.go b/coderd/workspaces_test.go
index 34ef8a2517af8..8ee23dcd5100d 100644
--- a/coderd/workspaces_test.go
+++ b/coderd/workspaces_test.go
@@ -411,6 +411,7 @@ func TestWorkspace(t *testing.T) {
 			TemplateVersionID: uuid.UUID{},
 			Name:              "random",
 		})
+		require.NoError(t, err)
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, wrk.LatestBuild.ID)
 
 		// Then: They cannot delete said workspace

From b415ee42c31bbb344406499ac182707d7f2c6efe Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Tue, 25 Feb 2025 18:06:09 +0000
Subject: [PATCH 06/10] feat: create advanced roles collapsible section

---
 .../UserTable/EditRolesButton.tsx             | 60 ++++++++++++++++++-
 1 file changed, 57 insertions(+), 3 deletions(-)

diff --git a/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx b/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx
index 64e059b4134f6..30f671b497478 100644
--- a/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx
+++ b/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx
@@ -16,7 +16,9 @@ import {
 	PopoverContent,
 	PopoverTrigger,
 } from "components/deprecated/Popover/Popover";
-import type { FC } from "react";
+import { ChevronDownIcon, ChevronRightIcon } from "lucide-react";
+import { type FC, useEffect, useState } from "react";
+import { cn } from "utils/cn";
 
 const roleDescriptions: Record<string, string> = {
 	owner:
@@ -57,7 +59,7 @@ const Option: FC<OptionProps> = ({
 					}}
 				/>
 				<div className="flex flex-col">
-					<strong>{name}</strong>
+					<strong className="text-sm">{name}</strong>
 					<span className="text-xs text-content-secondary">{description}</span>
 				</div>
 			</div>
@@ -91,6 +93,7 @@ export const EditRolesButton: FC<EditRolesButtonProps> = ({
 
 		onChange([...selectedRoleNames, roleName]);
 	};
+	const [isAdvancedOpen, setIsAdvancedOpen] = useState(false);
 
 	const canSetRoles =
 		userLoginType !== "oidc" || (userLoginType === "oidc" && !oidcRoleSync);
@@ -109,6 +112,20 @@ export const EditRolesButton: FC<EditRolesButtonProps> = ({
 		);
 	}
 
+	const filteredRoles = roles.filter(
+		(role) => role.name !== "organization-workspace-creation-ban",
+	);
+	const advancedRoles = roles.filter(
+		(role) => role.name === "organization-workspace-creation-ban",
+	);
+
+	// make sure the advanced roles are always visible if the user has one of these roles
+	useEffect(() => {
+		if (selectedRoleNames.has("organization-workspace-creation-ban")) {
+			setIsAdvancedOpen(true);
+		}
+	}, [selectedRoleNames]);
+
 	return (
 		<Popover>
 			<PopoverTrigger>
@@ -131,7 +148,7 @@ export const EditRolesButton: FC<EditRolesButtonProps> = ({
 					title="Available roles"
 				>
 					<div className="flex flex-col gap-4 p-6">
-						{roles.map((role) => (
+						{filteredRoles.map((role) => (
 							<Option
 								key={role.name}
 								onChange={handleChange}
@@ -141,6 +158,43 @@ export const EditRolesButton: FC<EditRolesButtonProps> = ({
 								description={roleDescriptions[role.name] ?? ""}
 							/>
 						))}
+						{advancedRoles.length > 0 && (
+							<>
+								<button
+									className={cn([
+										"flex items-center gap-1 p-0 bg-transparent border-0 text-inherit text-sm cursor-pointer",
+										"transition-colors text-content-secondary hover:text-content-primary font-medium whitespace-nowrap",
+										isAdvancedOpen && "text-content-primary",
+									])}
+									type="button"
+									onClick={() => {
+										setIsAdvancedOpen((v) => !v);
+									}}
+								>
+									{isAdvancedOpen ? (
+										<ChevronDownIcon className="size-icon-sm p-0.5" />
+									) : (
+										<ChevronRightIcon className="size-icon-sm p-0.5" />
+									)}
+									<span className="sr-only">
+										({isAdvancedOpen ? "Hide" : "Show advanced"})
+									</span>
+									<span className="[&:first-letter]:uppercase">Advanced</span>
+								</button>
+
+								{isAdvancedOpen &&
+									advancedRoles.map((role) => (
+										<Option
+											key={role.name}
+											onChange={handleChange}
+											isChecked={selectedRoleNames.has(role.name)}
+											value={role.name}
+											name={role.display_name || role.name}
+											description={roleDescriptions[role.name] ?? ""}
+										/>
+									))}
+							</>
+						)}
 					</div>
 				</fieldset>
 				<div className="p-6 border-t-1 border-solid border-border text-sm">

From 3fef4ef4361e93acac5da035ad1f4dc9e3abe913 Mon Sep 17 00:00:00 2001
From: Steven Masley <Emyrk@users.noreply.github.com>
Date: Wed, 26 Feb 2025 15:43:43 -0600
Subject: [PATCH 07/10] Update coderd/rbac/roles_test.go
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: ケイラ <mckayla@hey.com>
---
 coderd/rbac/roles_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
index 859afea0b4050..1442ac34c02ad 100644
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@@ -197,7 +197,7 @@ func TestRolePermissions(t *testing.T) {
 			},
 		},
 		{
-			Name: "C__DMyWorkspaceInOrg",
+			Name: "CreateDeleteMyWorkspaceInOrg",
 			// When creating the WithID won't be set, but it does not change the result.
 			Actions:  []policy.Action{policy.ActionCreate, policy.ActionDelete},
 			Resource: rbac.ResourceWorkspace.WithID(workspaceID).InOrg(orgID).WithOwner(currentUser.String()),

From 5178cbd46452bba7b8e58bdbdaa06b8032c916cc Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Wed, 26 Feb 2025 22:24:52 +0000
Subject: [PATCH 08/10] chore: add storybook story for

---
 .../UserTable/EditRolesButton.stories.tsx            | 12 ++++++++++++
 site/src/testHelpers/entities.ts                     | 12 +++++++++++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.stories.tsx b/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.stories.tsx
index 0511a9d877ea1..f3244898483ce 100644
--- a/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.stories.tsx
+++ b/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.stories.tsx
@@ -4,6 +4,7 @@ import {
 	MockOwnerRole,
 	MockSiteRoles,
 	MockUserAdminRole,
+	MockWorkspaceCreationBanRole,
 } from "testHelpers/entities";
 import { withDesktopViewport } from "testHelpers/storybook";
 import { EditRolesButton } from "./EditRolesButton";
@@ -41,3 +42,14 @@ export const Loading: Story = {
 		await userEvent.click(canvas.getByRole("button"));
 	},
 };
+
+export const AdvancedOpen: Story = {
+	args: {
+		selectedRoleNames: new Set([MockWorkspaceCreationBanRole.name]),
+		roles: MockSiteRoles,
+	},
+	play: async ({ canvasElement }) => {
+		const canvas = within(canvasElement);
+		await userEvent.click(canvas.getByRole("button"));
+	},
+};
diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
index 74d4de9121e2e..3b7e1bb63715a 100644
--- a/site/src/testHelpers/entities.ts
+++ b/site/src/testHelpers/entities.ts
@@ -296,6 +296,15 @@ export const MockAuditorRole: TypesGen.Role = {
 	organization_id: "",
 };
 
+export const MockWorkspaceCreationBanRole: TypesGen.Role = {
+	name: "organization-workspace-creation-ban",
+	display_name: "Organization Workspace Creation Ban",
+	site_permissions: [],
+	organization_permissions: [],
+	user_permissions: [],
+	organization_id: "",
+};
+
 export const MockMemberRole: TypesGen.SlimRole = {
 	name: "member",
 	display_name: "Member",
@@ -459,10 +468,11 @@ export function assignableRole(
 	};
 }
 
-export const MockSiteRoles = [MockUserAdminRole, MockAuditorRole];
+export const MockSiteRoles = [MockUserAdminRole, MockAuditorRole, MockWorkspaceCreationBanRole];
 export const MockAssignableSiteRoles = [
 	assignableRole(MockUserAdminRole, true),
 	assignableRole(MockAuditorRole, true),
+	assignableRole(MockWorkspaceCreationBanRole, true),
 ];
 
 export const MockMemberPermissions = {

From 252585264d99a696dd1e1e55d1e7494a322150f4 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Wed, 26 Feb 2025 22:25:58 +0000
Subject: [PATCH 09/10] fix: increase popover width

---
 .../OrganizationSettingsPage/UserTable/EditRolesButton.tsx    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx b/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx
index 30f671b497478..c8eb4001e406a 100644
--- a/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx
+++ b/site/src/pages/OrganizationSettingsPage/UserTable/EditRolesButton.tsx
@@ -141,13 +141,13 @@ export const EditRolesButton: FC<EditRolesButtonProps> = ({
 				</Tooltip>
 			</PopoverTrigger>
 
-			<PopoverContent className="w-80" disablePortal={false}>
+			<PopoverContent className="w-96" disablePortal={false}>
 				<fieldset
 					className="border-0 m-0 p-0 disabled:opacity-50"
 					disabled={isLoading}
 					title="Available roles"
 				>
-					<div className="flex flex-col gap-4 p-6">
+					<div className="flex flex-col gap-4 p-6 w-96">
 						{filteredRoles.map((role) => (
 							<Option
 								key={role.name}

From b1c77caca774dd462f0405e0e91a4ecc5fa6d753 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Wed, 26 Feb 2025 22:31:17 +0000
Subject: [PATCH 10/10] fix: fix format

---
 site/src/testHelpers/entities.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
index 3b7e1bb63715a..38f69ad8b76aa 100644
--- a/site/src/testHelpers/entities.ts
+++ b/site/src/testHelpers/entities.ts
@@ -468,7 +468,11 @@ export function assignableRole(
 	};
 }
 
-export const MockSiteRoles = [MockUserAdminRole, MockAuditorRole, MockWorkspaceCreationBanRole];
+export const MockSiteRoles = [
+	MockUserAdminRole,
+	MockAuditorRole,
+	MockWorkspaceCreationBanRole,
+];
 export const MockAssignableSiteRoles = [
 	assignableRole(MockUserAdminRole, true),
 	assignableRole(MockAuditorRole, true),