@@ -254,6 +254,59 @@ func TestCreateUserWorkspace(t *testing.T) {
254254t .Run ("ForAnotherUser" ,func (t * testing.T ) {
255255t .Parallel ()
256256
257+ owner ,first := coderdenttest .New (t ,& coderdenttest.Options {
258+ Options :& coderdtest.Options {
259+ IncludeProvisionerDaemon :true ,
260+ },
261+ LicenseOptions :& coderdenttest.LicenseOptions {
262+ Features : license.Features {
263+ codersdk .FeatureCustomRoles :1 ,
264+ codersdk .FeatureTemplateRBAC :1 ,
265+ },
266+ },
267+ })
268+ ctx := testutil .Context (t ,testutil .WaitShort )
269+ //nolint:gocritic // using owner to setup roles
270+ r ,err := owner .CreateOrganizationRole (ctx , codersdk.Role {
271+ Name :"creator" ,
272+ OrganizationID :first .OrganizationID .String (),
273+ DisplayName :"Creator" ,
274+ OrganizationPermissions :codersdk .CreatePermissions (map [codersdk.RBACResource ][]codersdk.RBACAction {
275+ codersdk .ResourceWorkspace : {codersdk .ActionCreate ,codersdk .ActionWorkspaceStart ,codersdk .ActionUpdate ,codersdk .ActionRead },
276+ codersdk .ResourceOrganizationMember : {codersdk .ActionRead },
277+ }),
278+ })
279+ require .NoError (t ,err )
280+
281+ // use admin for setting up test
282+ admin ,adminID := coderdtest .CreateAnotherUser (t ,owner ,first .OrganizationID ,rbac .RoleTemplateAdmin ())
283+
284+ // try the test action with this user & custom role
285+ creator ,_ := coderdtest .CreateAnotherUser (t ,owner ,first .OrganizationID ,rbac .RoleMember (), rbac.RoleIdentifier {
286+ Name :r .Name ,
287+ OrganizationID :first .OrganizationID ,
288+ })
289+
290+ template ,_ := coderdtest .DynamicParameterTemplate (t ,admin ,first .OrganizationID , coderdtest.DynamicParameterTemplateParams {})
291+
292+ ctx = testutil .Context (t ,testutil .WaitLong * 1000 )// Reset the context to avoid timeouts.
293+
294+ wrk ,err := creator .CreateUserWorkspace (ctx ,adminID .ID .String (), codersdk.CreateWorkspaceRequest {
295+ TemplateID :template .ID ,
296+ Name :"workspace" ,
297+ })
298+ require .NoError (t ,err )
299+ coderdtest .AwaitWorkspaceBuildJobCompleted (t ,admin ,wrk .LatestBuild .ID )
300+
301+ _ ,err = creator .WorkspaceByOwnerAndName (ctx ,adminID .Username ,wrk .Name , codersdk.WorkspaceOptions {
302+ IncludeDeleted :false ,
303+ })
304+ require .NoError (t ,err )
305+ })
306+
307+ t .Run ("ForANonOrgMember" ,func (t * testing.T ) {
308+ t .Parallel ()
309+
257310owner ,first := coderdenttest .New (t ,& coderdenttest.Options {
258311Options :& coderdtest.Options {
259312IncludeProvisionerDaemon :true ,
@@ -279,23 +332,24 @@ func TestCreateUserWorkspace(t *testing.T) {
279332})
280333require .NoError (t ,err )
281334
282- secondOrg := coderdenttest .CreateOrganization (t ,owner , coderdenttest.CreateOrganizationOptions {})
283-
284335// user to make the workspace for, **note** the user is not a member of the first org.
285336// This is strange, but technically valid. The creator can create a workspace for
286337// this user in this org, even though the user cannot access the workspace.
338+ secondOrg := coderdenttest .CreateOrganization (t ,owner , coderdenttest.CreateOrganizationOptions {})
287339_ ,forUser := coderdtest .CreateAnotherUser (t ,owner ,secondOrg .ID )
288340
289- // Need an admin to make the template
290- admin ,_ := coderdtest .CreateAnotherUser (t ,owner ,first .OrganizationID ,rbac .ScopedRoleOrgTemplateAdmin (first .OrganizationID ))
291-
292341// try the test action with this user & custom role
293- creator ,_ := coderdtest .CreateAnotherUser (t ,owner ,first .OrganizationID ,rbac .RoleMember (), rbac.RoleIdentifier {
294- Name :r .Name ,
295- OrganizationID :first .OrganizationID ,
296- })
342+ creator ,_ := coderdtest .CreateAnotherUser (t ,owner ,first .OrganizationID ,rbac .RoleMember (),
343+ rbac .RoleTemplateAdmin (),// Need site wide access to make workspace for non-org
344+ rbac.RoleIdentifier {
345+ Name :r .Name ,
346+ OrganizationID :first .OrganizationID ,
347+ },
348+ )
297349
298- template ,_ := coderdtest .DynamicParameterTemplate (t ,admin ,first .OrganizationID , coderdtest.DynamicParameterTemplateParams {})
350+ version := coderdtest .CreateTemplateVersion (t ,creator ,first .OrganizationID ,nil )
351+ coderdtest .AwaitTemplateVersionJobCompleted (t ,creator ,version .ID )
352+ template := coderdtest .CreateTemplate (t ,creator ,first .OrganizationID ,version .ID )
299353
300354ctx = testutil .Context (t ,testutil .WaitLong * 1000 )// Reset the context to avoid timeouts.
301355