@@ -44,6 +44,44 @@ func agplUserQuietHoursScheduleStore() *atomic.Pointer[agplschedule.UserQuietHou
44
44
func TestCreateWorkspace (t * testing.T ) {
45
45
t .Parallel ()
46
46
47
+ t .Run ("NoTemplateAccess" , func (t * testing.T ) {
48
+ t .Parallel ()
49
+
50
+ dv := coderdtest .DeploymentValues (t )
51
+ dv .Experiments = []string {string (codersdk .ExperimentMultiOrganization )}
52
+ client , first := coderdenttest .New (t , & coderdenttest.Options {
53
+ Options : & coderdtest.Options {
54
+ DeploymentValues : dv ,
55
+ },
56
+ LicenseOptions : & coderdenttest.LicenseOptions {
57
+ Features : license.Features {
58
+ codersdk .FeatureTemplateRBAC : 1 ,
59
+ codersdk .FeatureMultipleOrganizations : 1 ,
60
+ },
61
+ }})
62
+
63
+ other , _ := coderdtest .CreateAnotherUser (t , client , first .OrganizationID , rbac .RoleMember (), rbac .RoleOwner ())
64
+
65
+ ctx , cancel := context .WithTimeout (context .Background (), testutil .WaitLong )
66
+ defer cancel ()
67
+
68
+ org , err := other .CreateOrganization (ctx , codersdk.CreateOrganizationRequest {
69
+ Name : "another" ,
70
+ })
71
+ require .NoError (t , err )
72
+ version := coderdtest .CreateTemplateVersion (t , other , org .ID , nil )
73
+ template := coderdtest .CreateTemplate (t , other , org .ID , version .ID )
74
+
75
+ _ , err = client .CreateWorkspace (ctx , first .OrganizationID , codersdk .Me , codersdk.CreateWorkspaceRequest {
76
+ TemplateID : template .ID ,
77
+ Name : "workspace" ,
78
+ })
79
+ require .Error (t , err )
80
+ var apiErr * codersdk.Error
81
+ require .ErrorAs (t , err , & apiErr )
82
+ require .Equal (t , http .StatusForbidden , apiErr .StatusCode ())
83
+ })
84
+
47
85
// Test that a user cannot indirectly access
48
86
// a template they do not have access to.
49
87
t .Run ("Unauthorized" , func (t * testing.T ) {
0 commit comments