[server] Extend Prebuild access level to WorkspaceInstance

geropl · roboquat · commit c8856571babb · 2022-07-06T15:09:53.000+05:30
diff --git a/components/server/src/auth/resource-access.spec.ts b/components/server/src/auth/resource-access.spec.ts
@@ -885,6 +885,43 @@ class TestResourceAccess {
                 teamRole: "owner",
                 expectation: true,
             },
+            // prebuild instance with repo access
+            {
+                name: "prebuild workspaceInstance get owner",
+                resourceKind: "workspaceInstance",
+                workspaceType: "prebuild",
+                isOwner: true,
+                teamRole: undefined,
+                repositoryAccess: true,
+                expectation: true,
+            },
+            {
+                name: "prebuild workspaceInstance get other",
+                resourceKind: "workspaceInstance",
+                workspaceType: "prebuild",
+                isOwner: false,
+                teamRole: undefined,
+                repositoryAccess: true,
+                expectation: true,
+            },
+            {
+                name: "prebuild workspaceInstance get team member",
+                resourceKind: "workspaceInstance",
+                workspaceType: "prebuild",
+                isOwner: false,
+                teamRole: "member",
+                repositoryAccess: true,
+                expectation: true,
+            },
+            {
+                name: "prebuild workspaceInstance get team owner (same as member)",
+                resourceKind: "workspaceInstance",
+                workspaceType: "prebuild",
+                isOwner: false,
+                teamRole: "owner",
+                repositoryAccess: true,
+                expectation: true,
+            },
             // prebuild
             {
                 name: "prebuild get owner",
diff --git a/components/server/src/auth/resource-access.ts b/components/server/src/auth/resource-access.ts
@@ -489,7 +489,14 @@ export class RepositoryResourceGuard implements ResourceAccessGuard {
                 if (workspace.type !== "prebuild") {
                     return false;
                 }
-                // We're only allowed to access prebuild workspaces with the repository guard
+                // We're only allowed to access prebuild workspaces with this repository guard
+                break;
+            case "workspaceInstance":
+                workspace = resource.workspace;
+                if (workspace.type !== "prebuild") {
+                    return false;
+                }
+                // We're only allowed to access prebuild workspace instances with thi repository guard
                 break;
             case "workspaceLog":
                 workspace = resource.subject;
