fix(coderd): authorize workspace start/stop/delete by transition action (#21691)

Use transition-specific actions when authorizing workspace build parameter inserts in the database layer so start/stop/delete do not require workspace.update. Related to: https://github.com/coder/internal/issues/1299
2026-06-02 20:48:20 +00:00 · 2026-01-27 09:08:12 -08:00
parent 2ee3386cc5
commit c352a51b22
3 changed files with 73 additions and 13 deletions
@@ -1175,8 +1175,16 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje
 	switch b.trans {
 	case database.WorkspaceTransitionDelete:
 		action = policy.ActionDelete
-	case database.WorkspaceTransitionStart, database.WorkspaceTransitionStop:
-		action = policy.ActionUpdate
+	case database.WorkspaceTransitionStart:
+		action = policy.ActionWorkspaceStart
+		if b.workspace.DormantAt.Valid {
+			// Dormant workspaces can't be started directly; they are
+			// first "woken" by unsetting dormancy, which makes the
+			// workspace.start permission apply.
+			action = policy.ActionUpdate
+		}
+	case database.WorkspaceTransitionStop:
+		action = policy.ActionWorkspaceStop
 	default:
 		msg := fmt.Sprintf("Transition %q not supported.", b.trans)
 		return BuildError{http.StatusBadRequest, msg, xerrors.New(msg)}