coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 76 additions & 1 deletion b/‎coderd/apidoc/docs.go
Lines changed: 76 additions & 1 deletion
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 66 additions & 1 deletion b/‎coderd/apidoc/swagger.json
Lines changed: 66 additions & 1 deletion
diff --git a/‎coderd/coderd.go
Lines changed: 6 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/coderdtest/swaggerparser.go
Lines changed: 2 additions & 1 deletion b/‎coderd/coderdtest/swaggerparser.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 24 additions & 0 deletions b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 24 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 12 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 16 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 16 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 3 additions & 1 deletion b/‎coderd/database/modelmethods.go
Lines changed: 3 additions & 1 deletion
@@ -1413,6 +1413,12 @@ func New(options *Options) *API {
 					r.Delete("/", api.deleteWorkspaceAgentPortShare)
 				})
 				r.Get("/timings", api.workspaceTimings)
+				r.Route("/acl", func(r chi.Router) {
+					r.Use(
+						httpmw.RequireExperiment(api.Experiments, codersdk.ExperimentWorkspaceSharing))
+
+					r.Patch("/", api.patchWorkspaceACL)
+				})
 			})
 		})
 		r.Route("/workspacebuilds/{workspacebuild}", func(r chi.Router) {
 
@@ -360,7 +360,8 @@ func assertProduce(t *testing.T, comment SwaggerComment) {
 			(comment.router == "/workspaceagents/me/startup/logs" && comment.method == "patch") ||
 			(comment.router == "/licenses/{id}" && comment.method == "delete") ||
 			(comment.router == "/debug/coordinator" && comment.method == "get") ||
-			(comment.router == "/debug/tailnet" && comment.method == "get") {
+			(comment.router == "/debug/tailnet" && comment.method == "get") ||
+			(comment.router == "/workspaces/{workspace}/acl" && comment.method == "patch") {
 			return // Exception: HTTP 200 is returned without response entity
 		}
 
 
@@ -24,6 +24,7 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/render"
 	"github.com/coder/coder/v2/coderd/util/ptr"
+	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/provisionersdk/proto"
@@ -781,6 +782,29 @@ func TemplateRoleActions(role codersdk.TemplateRole) []policy.Action {
 	return []policy.Action{}
 }
 
+func WorkspaceRoleActions(role codersdk.WorkspaceRole) []policy.Action {
+	switch role {
+	case codersdk.WorkspaceRoleAdmin:
+		return slice.Omit(
+			// Small note: This intentionally includes "create" because it's sort of
+			// double purposed as "can edit ACL". That's maybe a bit "incorrect", but
+			// it's what templates do already and we're copying that implementation.
+			rbac.ResourceWorkspace.AvailableActions(),
+			// Don't let anyone delete something they can't recreate.
+			policy.ActionDelete,
+		)
+	case codersdk.WorkspaceRoleUse:
+		return []policy.Action{
+			policy.ActionApplicationConnect,
+			policy.ActionRead,
+			policy.ActionSSH,
+			policy.ActionWorkspaceStart,
+			policy.ActionWorkspaceStop,
+		}
+	}
+	return []policy.Action{}
+}
+
 func ConnectionLogConnectionTypeFromAgentProtoConnectionType(typ agentproto.Connection_Type) (database.ConnectionType, error) {
 	switch typ {
 	case agentproto.Connection_SSH:
 
@@ -4919,6 +4919,18 @@ func (q *querier) UpdateWorkspace(ctx context.Context, arg database.UpdateWorksp
 	return updateWithReturn(q.log, q.auth, fetch, q.db.UpdateWorkspace)(ctx, arg)
 }
 
+func (q *querier) UpdateWorkspaceACLByID(ctx context.Context, arg database.UpdateWorkspaceACLByIDParams) error {
+	fetch := func(ctx context.Context, arg database.UpdateWorkspaceACLByIDParams) (database.WorkspaceTable, error) {
+		w, err := q.db.GetWorkspaceByID(ctx, arg.ID)
+		if err != nil {
+			return database.WorkspaceTable{}, err
+		}
+		return w.WorkspaceTable(), nil
+	}
+
+	return fetchAndExec(q.log, q.auth, policy.ActionCreate, fetch, q.db.UpdateWorkspaceACLByID)(ctx, arg)
+}
+
 func (q *querier) UpdateWorkspaceAgentConnectionByID(ctx context.Context, arg database.UpdateWorkspaceAgentConnectionByIDParams) error {
 	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
 		return err
 
@@ -2146,6 +2146,22 @@ func (s *MethodTestSuite) TestWorkspace() {
 		// no asserts here because SQLFilter
 		check.Args([]uuid.UUID{}, emptyPreparedAuthorized{}).Asserts()
 	}))
+	s.Run("UpdateWorkspaceACLByID", s.Subtest(func(db database.Store, check *expects) {
+		u := dbgen.User(s.T(), db, database.User{})
+		o := dbgen.Organization(s.T(), db, database.Organization{})
+		tpl := dbgen.Template(s.T(), db, database.Template{
+			OrganizationID: o.ID,
+			CreatedBy:      u.ID,
+		})
+		ws := dbgen.Workspace(s.T(), db, database.WorkspaceTable{
+			OwnerID:        u.ID,
+			OrganizationID: o.ID,
+			TemplateID:     tpl.ID,
+		})
+		check.Args(database.UpdateWorkspaceACLByIDParams{
+			ID: ws.ID,
+		}).Asserts(ws, policy.ActionCreate)
+	}))
 	s.Run("GetLatestWorkspaceBuildByWorkspaceID", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
 		o := dbgen.Organization(s.T(), db, database.Organization{})
 
@@ -276,7 +276,9 @@ func (w WorkspaceTable) RBACObject() rbac.Object {
 
 	return rbac.ResourceWorkspace.WithID(w.ID).
 		InOrg(w.OrganizationID).
-		WithOwner(w.OwnerID.String())
+		WithOwner(w.OwnerID.String()).
+		WithGroupACL(w.GroupACL.RBACACL()).
+		WithACLUserList(w.UserACL.RBACACL())
 }
 
 func (w WorkspaceTable) DormantRBAC() rbac.Object {
Original file line number	Diff line number	Diff line change
`@@ -360,7 +360,8 @@ func assertProduce(t *testing.T, comment SwaggerComment) {`
`360`	`360`	`(comment.router == "/workspaceagents/me/startup/logs" && comment.method == "patch") \|\|`
`361`	`361`	`(comment.router == "/licenses/{id}" && comment.method == "delete") \|\|`
`362`	`362`	`(comment.router == "/debug/coordinator" && comment.method == "get") \|\|`
`363`		`- (comment.router == "/debug/tailnet" && comment.method == "get") {`
	`363`	`+ (comment.router == "/debug/tailnet" && comment.method == "get") \|\|`
	`364`	`+ (comment.router == "/workspaces/{workspace}/acl" && comment.method == "patch") {`
`364`	`365`	`return // Exception: HTTP 200 is returned without response entity`
`365`	`366`	`}`
`366`	`367`
Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,9 @@ func (w WorkspaceTable) RBACObject() rbac.Object {`
`276`	`276`
`277`	`277`	`return rbac.ResourceWorkspace.WithID(w.ID).`
`278`	`278`	`InOrg(w.OrganizationID).`
`279`		`- WithOwner(w.OwnerID.String())`
	`279`	`+ WithOwner(w.OwnerID.String()).`
	`280`	`+ WithGroupACL(w.GroupACL.RBACACL()).`
	`281`	`+ WithACLUserList(w.UserACL.RBACACL())`
`280`	`282`	`}`
`281`	`283`
`282`	`284`	`func (w WorkspaceTable) DormantRBAC() rbac.Object {`