From 422e044859d6b41cd036a087d4e043bc8fd29687 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 19 Aug 2024 13:28:27 -0500 Subject: [PATCH] chore: forbidden error on create workspace without permissions (#14347) Multi-org enables the possibility of a user having template permissions, but not workspace create permissions. The unauthorized error should be returned instead of a 404. This does not leak any information the user cannot already obtain. --- coderd/workspaces.go | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/coderd/workspaces.go b/coderd/workspaces.go index 901e372396..0723acf3ec 100644 --- a/coderd/workspaces.go +++ b/coderd/workspaces.go @@ -374,13 +374,6 @@ func (api *API) postWorkspacesByOrganization(rw http.ResponseWriter, r *http.Req defer commitAudit() - // Do this upfront to save work. - if !api.Authorize(r, policy.ActionCreate, - rbac.ResourceWorkspace.InOrg(organization.ID).WithOwner(member.UserID.String())) { - httpapi.ResourceNotFound(rw) - return - } - var req codersdk.CreateWorkspaceRequest if !httpapi.Read(ctx, rw, r, &req) { return @@ -522,6 +515,22 @@ func createWorkspace( return } + // This is a premature auth check to avoid doing unnecessary work if the user + // doesn't have permission to create a workspace. + if !api.Authorize(r, policy.ActionCreate, + rbac.ResourceWorkspace.InOrg(template.OrganizationID).WithOwner(owner.ID.String())) { + // If this check fails, return a proper unauthorized error to the user to indicate + // what is going on. + httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ + Message: "Unauthorized to create workspace.", + Detail: "You are unable to create a workspace in this organization. " + + "It is possible to have access to the template, but not be able to create a workspace. " + + "Please contact an administrator about your permissions if you feel this is an error.", + Validations: nil, + }) + return + } + // Update audit log's organization auditReq.UpdateOrganizationID(template.OrganizationID)