From ddb702afaef27476e9e059d33fa3c7ec4681c519 Mon Sep 17 00:00:00 2001
From: Kyle Carberry <kyle@carberry.com>
Date: Tue, 7 Mar 2023 02:20:25 +0000
Subject: [PATCH] fix: adjust build state permission to require template update

---
 coderd/coderdtest/authorize.go |  4 ++--
 coderd/workspacebuilds.go      | 12 +++++++++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
index 7b8e33140771f..e85dd961d4ff4 100644
--- a/coderd/coderdtest/authorize.go
+++ b/coderd/coderdtest/authorize.go
@@ -132,8 +132,8 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {
 			AssertObject: workspaceRBACObj,
 		},
 		"GET:/api/v2/workspacebuilds/{workspacebuild}/state": {
-			AssertAction: rbac.ActionRead,
-			AssertObject: workspaceRBACObj,
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: templateObj,
 		},
 		"GET:/api/v2/workspaceagents/{workspaceagent}": {
 			AssertAction: rbac.ActionRead,
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
index 26176f5a0c93e..addd2994c70ec 100644
--- a/coderd/workspacebuilds.go
+++ b/coderd/workspacebuilds.go
@@ -892,8 +892,18 @@ func (api *API) workspaceBuildState(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	template, err := api.Database.GetTemplateByID(ctx, workspace.TemplateID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Failed to get template",
+			Detail:  err.Error(),
+		})
+		return
+	}
 
-	if !api.Authorize(r, rbac.ActionRead, workspace) {
+	// You must have update permissions on the template to get the state.
+	// This matches a push!
+	if !api.Authorize(r, rbac.ActionUpdate, template.RBACObject()) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}