[server] Allow all team members to cancel a team prebuild

gitpod-io · Nov 16, 2021 · 490d0fa · 490d0fa
1 parent f3ecc7f
commit 490d0fa
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/components/server/ee/src/workspace/gitpod-server-impl.ts b/components/server/ee/src/workspace/gitpod-server-impl.ts
@@ -1597,7 +1597,6 @@ export class GitpodServerEEImpl extends GitpodServerImpl<GitpodClient, GitpodSer
             throw new ResponseError(ErrorCodes.NOT_FOUND, "Prebuild not found");
         }
         // Explicitly stopping the prebuild workspace now automaticaly cancels the prebuild
-        // TODO(janx): Make access guards compatible with teams
         await this.stopWorkspace(prebuild.buildWorkspaceId);
     }
 

diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -513,7 +513,14 @@ export class GitpodServerImpl<Client extends GitpodClient, Server extends Gitpod
 
         try {
             const workspace = await this.internalGetWorkspace(workspaceId, this.workspaceDb.trace({ span }));
-            await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
+            if (workspace.type === 'prebuild') {
+                // If this is a team prebuild, any team member can stop it.
+                const teamMembers = await this.getTeamMembersByProject(workspace.projectId);
+                await this.guardAccess({ kind: "workspace", subject: workspace, teamMembers }, "get");
+            } else {
+                // If this is not a prebuild, or it's a personal prebuild, only the workspace owner can stop it.
+                await this.guardAccess({ kind: "workspace", subject: workspace }, "get");
+            }
 
             this.internalStopWorkspace({ span }, workspace).catch(err => {
                 log.error(logCtx, "stopWorkspace error: ", err);
@@ -538,7 +545,14 @@ export class GitpodServerImpl<Client extends GitpodClient, Server extends Gitpod
         // that is logged in).
         // The guard check happens in guardAdminAccess(...) for admin users.
         if (!admin) {
-            await this.guardAccess({ kind: "workspaceInstance", subject: instance, workspace }, "update");
+            if (workspace.type === 'prebuild') {
+                // If this is a team prebuild, any team member can stop it.
+                const teamMembers = await this.getTeamMembersByProject(workspace.projectId);
+                await this.guardAccess({ kind: "workspaceInstance", subject: instance, workspace, teamMembers }, "update");
+            } else {
+                // If this is not a prebuild, or it's a personal prebuild, only the workspace owner can stop it.
+                await this.guardAccess({ kind: "workspaceInstance", subject: instance, workspace }, "update");
+            }
         }
         await this.internalStopWorkspaceInstance(ctx, instance.id, instance.region, policy);
     }