From e6955804152989657d126dba9cdac51f428a1150 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Mon, 10 Mar 2025 21:53:29 +0000
Subject: [PATCH 01/12] chore: hide workspace creation UI for users without
 permission

---
 site/src/modules/permissions/organizations.ts |  8 +++++++
 .../src/pages/TemplatesPage/TemplatesPage.tsx | 12 +++++++++-
 .../pages/TemplatesPage/TemplatesPageView.tsx | 15 +++++++++---
 .../pages/WorkspacesPage/WorkspacesPage.tsx   | 24 +++++++++++++++++--
 4 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/site/src/modules/permissions/organizations.ts b/site/src/modules/permissions/organizations.ts
index 0a7cb505c2a4b..79e7616e2c137 100644
--- a/site/src/modules/permissions/organizations.ts
+++ b/site/src/modules/permissions/organizations.ts
@@ -115,6 +115,14 @@ export const organizationPermissionChecks = (organizationId: string) =>
 			},
 			action: "update",
 		},
+		createWorkspaces: {
+			object: {
+				resource_type: "workspace",
+				organization_id: organizationId,
+				owner_id: "*",
+			},
+			action: "create",
+		},
 	}) as const satisfies Record<string, AuthorizationCheck>;
 
 /**
diff --git a/site/src/pages/TemplatesPage/TemplatesPage.tsx b/site/src/pages/TemplatesPage/TemplatesPage.tsx
index de09956d44d1d..11779c0f1629b 100644
--- a/site/src/pages/TemplatesPage/TemplatesPage.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPage.tsx
@@ -1,3 +1,4 @@
+import { organizationsPermissions } from "api/queries/organizations";
 import { templateExamples, templates } from "api/queries/templates";
 import { useFilter } from "components/Filter/Filter";
 import { useAuthenticated } from "contexts/auth/RequireAuth";
@@ -25,7 +26,15 @@ export const TemplatesPage: FC = () => {
 		...templateExamples(),
 		enabled: permissions.createTemplates,
 	});
-	const error = templatesQuery.error || examplesQuery.error;
+
+	const orgPermissionsQuery = useQuery(
+		organizationsPermissions(
+			templatesQuery.data?.map((template) => template.organization_id),
+		),
+	);
+
+	const error =
+		templatesQuery.error || examplesQuery.error || orgPermissionsQuery.error;
 
 	return (
 		<>
@@ -39,6 +48,7 @@ export const TemplatesPage: FC = () => {
 				canCreateTemplates={permissions.createTemplates}
 				examples={examplesQuery.data}
 				templates={templatesQuery.data}
+				orgPermissions={orgPermissionsQuery.data}
 			/>
 		</>
 	);
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index 5d2a512980d8e..54c0da8bb3c12 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -39,6 +39,7 @@ import {
 } from "components/TableLoader/TableLoader";
 import { useClickableTableRow } from "hooks/useClickableTableRow";
 import { PlusIcon } from "lucide-react";
+import type { OrganizationPermissions } from "modules/management/organizationPermissions";
 import { linkToTemplate, useLinks } from "modules/navigation";
 import type { FC } from "react";
 import { Link, useNavigate } from "react-router-dom";
@@ -87,9 +88,14 @@ const TemplateHelpTooltip: FC = () => {
 interface TemplateRowProps {
 	showOrganizations: boolean;
 	template: Template;
+	orgPermissions: Record<string, OrganizationPermissions> | undefined;
 }
 
-const TemplateRow: FC<TemplateRowProps> = ({ showOrganizations, template }) => {
+const TemplateRow: FC<TemplateRowProps> = ({
+	showOrganizations,
+	template,
+	orgPermissions,
+}) => {
 	const getLink = useLinks();
 	const templatePageLink = getLink(
 		linkToTemplate(template.organization_name, template.name),
@@ -153,7 +159,7 @@ const TemplateRow: FC<TemplateRowProps> = ({ showOrganizations, template }) => {
 			<TableCell css={styles.actionCell}>
 				{template.deprecated ? (
 					<DeprecatedBadge />
-				) : (
+				) : orgPermissions?.[template.organization_id]?.createWorkspaces ? (
 					<MuiButton
 						size="small"
 						css={styles.actionButton}
@@ -167,7 +173,7 @@ const TemplateRow: FC<TemplateRowProps> = ({ showOrganizations, template }) => {
 					>
 						Create Workspace
 					</MuiButton>
-				)}
+				) : null}
 			</TableCell>
 		</TableRow>
 	);
@@ -180,6 +186,7 @@ export interface TemplatesPageViewProps {
 	canCreateTemplates: boolean;
 	examples: TemplateExample[] | undefined;
 	templates: Template[] | undefined;
+	orgPermissions: Record<string, OrganizationPermissions> | undefined;
 }
 
 export const TemplatesPageView: FC<TemplatesPageViewProps> = ({
@@ -189,6 +196,7 @@ export const TemplatesPageView: FC<TemplatesPageViewProps> = ({
 	canCreateTemplates,
 	examples,
 	templates,
+	orgPermissions,
 }) => {
 	const isLoading = !templates;
 	const isEmpty = templates && templates.length === 0;
@@ -250,6 +258,7 @@ export const TemplatesPageView: FC<TemplatesPageViewProps> = ({
 									key={template.id}
 									showOrganizations={showOrganizations}
 									template={template}
+									orgPermissions={orgPermissions}
 								/>
 							))
 						)}
diff --git a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
index e94ccbbd86605..d8a999710cf37 100644
--- a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
+++ b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
@@ -1,3 +1,4 @@
+import { organizationsPermissions } from "api/queries/organizations";
 import { templates } from "api/queries/templates";
 import type { Workspace } from "api/typesGenerated";
 import { useFilter } from "components/Filter/Filter";
@@ -7,7 +8,7 @@ import { useEffectEvent } from "hooks/hookPolyfills";
 import { usePagination } from "hooks/usePagination";
 import { useDashboard } from "modules/dashboard/useDashboard";
 import { useOrganizationsFilterMenu } from "modules/tableFiltering/options";
-import { type FC, useEffect, useState } from "react";
+import { type FC, useEffect, useMemo, useState } from "react";
 import { Helmet } from "react-helmet-async";
 import { useQuery } from "react-query";
 import { useSearchParams } from "react-router-dom";
@@ -44,6 +45,25 @@ const WorkspacesPage: FC = () => {
 
 	const templatesQuery = useQuery(templates());
 
+	// Check if user can create workspaces in each organization
+	const orgPermissionsQuery = useQuery(
+		organizationsPermissions(
+			templatesQuery.data?.map((template) => template.organization_id),
+		),
+	);
+
+	// Filter templates based on workspace creation permission
+	const filteredTemplates = useMemo(() => {
+		if (!templatesQuery.data || !orgPermissionsQuery.data) {
+			return templatesQuery.data;
+		}
+
+		return templatesQuery.data.filter((template) => {
+			const orgPermission = orgPermissionsQuery.data[template.organization_id];
+			return orgPermission?.createWorkspaces;
+		});
+	}, [templatesQuery.data, orgPermissionsQuery.data]);
+
 	const filterProps = useWorkspacesFilter({
 		searchParamsResult,
 		onFilterChange: () => pagination.goToPage(1),
@@ -90,7 +110,7 @@ const WorkspacesPage: FC = () => {
 				checkedWorkspaces={checkedWorkspaces}
 				onCheckChange={setCheckedWorkspaces}
 				canCheckWorkspaces={canCheckWorkspaces}
-				templates={templatesQuery.data}
+				templates={filteredTemplates}
 				templatesFetchStatus={templatesQuery.status}
 				workspaces={data?.workspaces}
 				error={error}

From 1da44737b8ad07918bb395698fe4e6b5d25449e2 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Mon, 10 Mar 2025 22:46:44 +0000
Subject: [PATCH 02/12] fix: fix import

---
 site/src/pages/TemplatesPage/TemplatesPageView.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index 54c0da8bb3c12..0b2ede6f08536 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -39,7 +39,7 @@ import {
 } from "components/TableLoader/TableLoader";
 import { useClickableTableRow } from "hooks/useClickableTableRow";
 import { PlusIcon } from "lucide-react";
-import type { OrganizationPermissions } from "modules/management/organizationPermissions";
+import type { OrganizationPermissions } from "modules/permissions/organizations";
 import { linkToTemplate, useLinks } from "modules/navigation";
 import type { FC } from "react";
 import { Link, useNavigate } from "react-router-dom";

From b9ec2489f0156cb7ec8400c0d6c3003143fa9563 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Tue, 11 Mar 2025 17:24:52 +0000
Subject: [PATCH 03/12] fix: update entities

---
 site/src/testHelpers/entities.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
index a298dea4ffd9d..344a2d0735f8d 100644
--- a/site/src/testHelpers/entities.ts
+++ b/site/src/testHelpers/entities.ts
@@ -2922,6 +2922,7 @@ export const MockOrganizationPermissions: OrganizationPermissions = {
 	viewProvisionerJobs: true,
 	viewIdpSyncSettings: true,
 	editIdpSyncSettings: true,
+	createWorkspaces: true,
 };
 
 export const MockNoOrganizationPermissions: OrganizationPermissions = {
@@ -2940,6 +2941,7 @@ export const MockNoOrganizationPermissions: OrganizationPermissions = {
 	viewProvisionerJobs: false,
 	viewIdpSyncSettings: false,
 	editIdpSyncSettings: false,
+	createWorkspaces: false,
 };
 
 export const MockDeploymentConfig: DeploymentConfig = {

From d5033d1a74fe02ac89b9cddb7546870183c5142d Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Tue, 11 Mar 2025 18:15:58 +0000
Subject: [PATCH 04/12] fix: format

---
 site/src/pages/TemplatesPage/TemplatesPageView.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index 0b2ede6f08536..2710765499b34 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -39,8 +39,8 @@ import {
 } from "components/TableLoader/TableLoader";
 import { useClickableTableRow } from "hooks/useClickableTableRow";
 import { PlusIcon } from "lucide-react";
-import type { OrganizationPermissions } from "modules/permissions/organizations";
 import { linkToTemplate, useLinks } from "modules/navigation";
+import type { OrganizationPermissions } from "modules/permissions/organizations";
 import type { FC } from "react";
 import { Link, useNavigate } from "react-router-dom";
 import { createDayString } from "utils/createDayString";

From ff77fe9886883b7e10d64ae1838b3092c25835ff Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Wed, 26 Mar 2025 11:34:40 +0000
Subject: [PATCH 05/12] chore: hide create workspace button on template header

---
 site/src/pages/TemplatePage/TemplateLayout.tsx     | 11 +++++++++--
 site/src/pages/TemplatePage/TemplatePageHeader.tsx |  5 ++++-
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/site/src/pages/TemplatePage/TemplateLayout.tsx b/site/src/pages/TemplatePage/TemplateLayout.tsx
index cf1c3f84ddd55..68dccd0218ae0 100644
--- a/site/src/pages/TemplatePage/TemplateLayout.tsx
+++ b/site/src/pages/TemplatePage/TemplateLayout.tsx
@@ -1,4 +1,5 @@
 import { API } from "api/api";
+import { organizationsPermissions } from "api/queries/organizations";
 import type { AuthorizationRequest } from "api/typesGenerated";
 import { ErrorAlert } from "components/Alert/ErrorAlert";
 import { Loader } from "components/Loader/Loader";
@@ -77,6 +78,9 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 		queryKey: ["template", templateName],
 		queryFn: () => fetchTemplate(organizationName, templateName),
 	});
+	const orgPermissionsQuery = useQuery(
+		organizationsPermissions([organizationName]),
+	);
 	const location = useLocation();
 	const paths = location.pathname.split("/");
 	const activeTab = paths.at(-1) === templateName ? "summary" : paths.at(-1)!;
@@ -85,7 +89,7 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 	const shouldShowInsights =
 		data?.permissions?.canUpdateTemplate || data?.permissions?.canReadInsights;
 
-	if (error) {
+	if (error || orgPermissionsQuery.error) {
 		return (
 			<div css={{ margin: 16 }}>
 				<ErrorAlert error={error} />
@@ -93,16 +97,19 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 		);
 	}
 
-	if (isLoading || !data) {
+	if (isLoading || !data || !orgPermissionsQuery.data) {
 		return <Loader />;
 	}
 
+	const orgPermissions = orgPermissionsQuery.data?.[organizationName];
+
 	return (
 		<>
 			<TemplatePageHeader
 				template={data.template}
 				activeVersion={data.activeVersion}
 				permissions={data.permissions}
+				orgPermissions={orgPermissions}
 				onDeleteTemplate={() => {
 					navigate("/templates");
 				}}
diff --git a/site/src/pages/TemplatePage/TemplatePageHeader.tsx b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
index 7bb1d9e54a4c2..761c40aa047fd 100644
--- a/site/src/pages/TemplatePage/TemplatePageHeader.tsx
+++ b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
@@ -31,6 +31,7 @@ import {
 import { Pill } from "components/Pill/Pill";
 import { Stack } from "components/Stack/Stack";
 import { linkToTemplate, useLinks } from "modules/navigation";
+import type { OrganizationPermissions } from "modules/permissions/organizations";
 import type { FC } from "react";
 import { useQuery } from "react-query";
 import { Link as RouterLink, useNavigate } from "react-router-dom";
@@ -158,6 +159,7 @@ export type TemplatePageHeaderProps = {
 	template: Template;
 	activeVersion: TemplateVersion;
 	permissions: AuthorizationResponse;
+	orgPermissions: OrganizationPermissions;
 	onDeleteTemplate: () => void;
 };
 
@@ -165,6 +167,7 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
 	template,
 	activeVersion,
 	permissions,
+	orgPermissions,
 	onDeleteTemplate,
 }) => {
 	const getLink = useLinks();
@@ -177,7 +180,7 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
 			<PageHeader
 				actions={
 					<>
-						{!template.deprecated && (
+						{!template.deprecated && orgPermissions.createWorkspaces && (
 							<Button
 								variant="contained"
 								startIcon={<AddIcon />}

From d77f5814c62b840dda0fe405c2014da2b5baeae6 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Mon, 10 Mar 2025 21:53:29 +0000
Subject: [PATCH 06/12] chore: hide workspace creation UI for users without
 permission

---
 site/src/pages/TemplatesPage/TemplatesPageView.tsx | 1 +
 1 file changed, 1 insertion(+)

diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index 2710765499b34..0a5dd54f71367 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -39,6 +39,7 @@ import {
 } from "components/TableLoader/TableLoader";
 import { useClickableTableRow } from "hooks/useClickableTableRow";
 import { PlusIcon } from "lucide-react";
+import type { OrganizationPermissions } from "modules/management/organizationPermissions";
 import { linkToTemplate, useLinks } from "modules/navigation";
 import type { OrganizationPermissions } from "modules/permissions/organizations";
 import type { FC } from "react";

From 8b159acbcee6f10fa262d24cd8f82d3355a0307a Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Mon, 10 Mar 2025 22:46:44 +0000
Subject: [PATCH 07/12] fix: fix import

---
 site/src/pages/TemplatesPage/TemplatesPageView.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index 0a5dd54f71367..9b30a28886790 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -39,7 +39,7 @@ import {
 } from "components/TableLoader/TableLoader";
 import { useClickableTableRow } from "hooks/useClickableTableRow";
 import { PlusIcon } from "lucide-react";
-import type { OrganizationPermissions } from "modules/management/organizationPermissions";
+import type { OrganizationPermissions } from "modules/permissions/organizations";
 import { linkToTemplate, useLinks } from "modules/navigation";
 import type { OrganizationPermissions } from "modules/permissions/organizations";
 import type { FC } from "react";

From 5e70928e757fb220a4cfb2cadb91c6cbcc66f067 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Tue, 11 Mar 2025 18:15:58 +0000
Subject: [PATCH 08/12] fix: format

---
 site/src/pages/TemplatesPage/TemplatesPageView.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index 9b30a28886790..2710765499b34 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -39,7 +39,6 @@ import {
 } from "components/TableLoader/TableLoader";
 import { useClickableTableRow } from "hooks/useClickableTableRow";
 import { PlusIcon } from "lucide-react";
-import type { OrganizationPermissions } from "modules/permissions/organizations";
 import { linkToTemplate, useLinks } from "modules/navigation";
 import type { OrganizationPermissions } from "modules/permissions/organizations";
 import type { FC } from "react";

From 8b4be15200eb528190527507796b93c8e12ef5a0 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Wed, 26 Mar 2025 11:37:44 +0000
Subject: [PATCH 09/12] chore: cleanup

---
 site/src/pages/WorkspacesPage/WorkspacesPage.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
index d8a999710cf37..c22de18f4ed4d 100644
--- a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
+++ b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
@@ -45,7 +45,6 @@ const WorkspacesPage: FC = () => {
 
 	const templatesQuery = useQuery(templates());
 
-	// Check if user can create workspaces in each organization
 	const orgPermissionsQuery = useQuery(
 		organizationsPermissions(
 			templatesQuery.data?.map((template) => template.organization_id),

From 352b29bb9e16a1bcc53d3ea29f5feb651e78b549 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Wed, 26 Mar 2025 11:45:40 +0000
Subject: [PATCH 10/12] fix: fix test

---
 site/src/pages/TemplatePage/TemplatePageHeader.tsx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/site/src/pages/TemplatePage/TemplatePageHeader.tsx b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
index 761c40aa047fd..8e4a7d758464a 100644
--- a/site/src/pages/TemplatePage/TemplatePageHeader.tsx
+++ b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
@@ -159,7 +159,7 @@ export type TemplatePageHeaderProps = {
 	template: Template;
 	activeVersion: TemplateVersion;
 	permissions: AuthorizationResponse;
-	orgPermissions: OrganizationPermissions;
+	orgPermissions: OrganizationPermissions | undefined;
 	onDeleteTemplate: () => void;
 };
 
@@ -180,7 +180,7 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
 			<PageHeader
 				actions={
 					<>
-						{!template.deprecated && orgPermissions.createWorkspaces && (
+						{!template.deprecated && orgPermissions?.createWorkspaces && (
 							<Button
 								variant="contained"
 								startIcon={<AddIcon />}

From 901825a824aed58099cd0e16063c945a70326361 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Tue, 1 Apr 2025 22:38:31 +0000
Subject: [PATCH 11/12] chore: updates for PR review

---
 site/src/api/queries/organizations.ts         | 43 +++++++++++++++++++
 site/src/modules/permissions/organizations.ts |  8 ----
 site/src/modules/permissions/workspaces.ts    | 20 +++++++++
 .../CreateWorkspacePage.tsx                   |  9 ++--
 .../CreateWorkspacePageView.tsx               |  4 +-
 .../pages/CreateWorkspacePage/permissions.ts  | 16 -------
 .../src/pages/TemplatePage/TemplateLayout.tsx | 18 ++++----
 .../pages/TemplatePage/TemplatePageHeader.tsx | 26 +++++------
 .../src/pages/TemplatesPage/TemplatesPage.tsx | 12 +++---
 .../pages/TemplatesPage/TemplatesPageView.tsx | 15 ++++---
 .../pages/WorkspacesPage/WorkspacesPage.tsx   |  6 +--
 site/src/testHelpers/entities.ts              |  2 -
 12 files changed, 112 insertions(+), 67 deletions(-)
 create mode 100644 site/src/modules/permissions/workspaces.ts
 delete mode 100644 site/src/pages/CreateWorkspacePage/permissions.ts

diff --git a/site/src/api/queries/organizations.ts b/site/src/api/queries/organizations.ts
index 2dc0402d75484..b0e25a985bd0f 100644
--- a/site/src/api/queries/organizations.ts
+++ b/site/src/api/queries/organizations.ts
@@ -13,6 +13,11 @@ import {
 	type OrganizationPermissions,
 	organizationPermissionChecks,
 } from "modules/permissions/organizations";
+import {
+	type WorkspacePermissionName,
+	type WorkspacePermissions,
+	workspacePermissionChecks,
+} from "modules/permissions/workspaces";
 import type { QueryClient } from "react-query";
 import { meKey } from "./users";
 
@@ -299,6 +304,44 @@ export const organizationsPermissions = (
 	};
 };
 
+export const workspacePermissionsByOrganization = (
+	organizationIds: string[] | undefined,
+) => {
+	if (!organizationIds) {
+		return { enabled: false };
+	}
+
+	return {
+		queryKey: ["workspaces", organizationIds.sort(), "permissions"],
+		queryFn: async () => {
+			const prefixedChecks = organizationIds.flatMap((orgId) =>
+				Object.entries(workspacePermissionChecks(orgId)).map(([key, val]) => [
+					`${orgId}.${key}`,
+					val,
+				]),
+			);
+
+			const response = await API.checkAuthorization({
+				checks: Object.fromEntries(prefixedChecks),
+			});
+
+			return Object.entries(response).reduce(
+				(acc, [key, value]) => {
+					const index = key.indexOf(".");
+					const orgId = key.substring(0, index);
+					const perm = key.substring(index + 1);
+					if (!acc[orgId]) {
+						acc[orgId] = {};
+					}
+					acc[orgId][perm as WorkspacePermissionName] = value;
+					return acc;
+				},
+				{} as Record<string, Partial<WorkspacePermissions>>,
+			) as Record<string, WorkspacePermissions>;
+		},
+	};
+};
+
 export const getOrganizationIdpSyncClaimFieldValuesKey = (
 	organization: string,
 	field: string,
diff --git a/site/src/modules/permissions/organizations.ts b/site/src/modules/permissions/organizations.ts
index 79e7616e2c137..0a7cb505c2a4b 100644
--- a/site/src/modules/permissions/organizations.ts
+++ b/site/src/modules/permissions/organizations.ts
@@ -115,14 +115,6 @@ export const organizationPermissionChecks = (organizationId: string) =>
 			},
 			action: "update",
 		},
-		createWorkspaces: {
-			object: {
-				resource_type: "workspace",
-				organization_id: organizationId,
-				owner_id: "*",
-			},
-			action: "create",
-		},
 	}) as const satisfies Record<string, AuthorizationCheck>;
 
 /**
diff --git a/site/src/modules/permissions/workspaces.ts b/site/src/modules/permissions/workspaces.ts
new file mode 100644
index 0000000000000..9ebb75d4790de
--- /dev/null
+++ b/site/src/modules/permissions/workspaces.ts
@@ -0,0 +1,20 @@
+export const workspacePermissionChecks = (organizationId: string) =>
+	({
+		createWorkspaceForUser: {
+			object: {
+				resource_type: "workspace",
+				organization_id: organizationId,
+				owner_id: "*",
+			},
+			action: "create",
+		},
+	}) as const;
+
+export type WorkspacePermissions = Record<
+	keyof ReturnType<typeof workspacePermissionChecks>,
+	boolean
+>;
+
+export type WorkspacePermissionName = keyof ReturnType<
+	typeof workspacePermissionChecks
+>;
diff --git a/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx b/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx
index 150a79bd69487..26f1808b83152 100644
--- a/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx
+++ b/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx
@@ -17,6 +17,10 @@ import { Loader } from "components/Loader/Loader";
 import { useAuthenticated } from "contexts/auth/RequireAuth";
 import { useEffectEvent } from "hooks/hookPolyfills";
 import { useDashboard } from "modules/dashboard/useDashboard";
+import {
+	type WorkspacePermissions,
+	workspacePermissionChecks,
+} from "modules/permissions/workspaces";
 import { generateWorkspaceName } from "modules/workspaces/generateWorkspaceName";
 import { type FC, useCallback, useEffect, useRef, useState } from "react";
 import { Helmet } from "react-helmet-async";
@@ -26,7 +30,6 @@ import { pageTitle } from "utils/page";
 import type { AutofillBuildParameter } from "utils/richParameters";
 import { paramsUsedToCreateWorkspace } from "utils/workspace";
 import { CreateWorkspacePageView } from "./CreateWorkspacePageView";
-import { type CreateWSPermissions, createWorkspaceChecks } from "./permissions";
 
 export const createWorkspaceModes = ["form", "auto", "duplicate"] as const;
 export type CreateWorkspaceMode = (typeof createWorkspaceModes)[number];
@@ -64,7 +67,7 @@ const CreateWorkspacePage: FC = () => {
 	const permissionsQuery = useQuery(
 		templateQuery.data
 			? checkAuthorization({
-					checks: createWorkspaceChecks(templateQuery.data.organization_id),
+					checks: workspacePermissionChecks(templateQuery.data.organization_id),
 				})
 			: { enabled: false },
 	);
@@ -206,7 +209,7 @@ const CreateWorkspacePage: FC = () => {
 					externalAuthPollingState={externalAuthPollingState}
 					startPollingExternalAuth={startPollingExternalAuth}
 					hasAllRequiredExternalAuth={hasAllRequiredExternalAuth}
-					permissions={permissionsQuery.data as CreateWSPermissions}
+					permissions={permissionsQuery.data as WorkspacePermissions}
 					parameters={realizedParameters as TemplateVersionParameter[]}
 					presets={templateVersionPresetsQuery.data ?? []}
 					creatingWorkspace={createWorkspaceMutation.isLoading}
diff --git a/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.tsx b/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.tsx
index 6dab8de306a10..660580b5b80b8 100644
--- a/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.tsx
+++ b/site/src/pages/CreateWorkspacePage/CreateWorkspacePageView.tsx
@@ -28,6 +28,7 @@ import { Stack } from "components/Stack/Stack";
 import { Switch } from "components/Switch/Switch";
 import { UserAutocomplete } from "components/UserAutocomplete/UserAutocomplete";
 import { type FormikContextType, useFormik } from "formik";
+import type { WorkspacePermissions } from "modules/permissions/workspaces";
 import { generateWorkspaceName } from "modules/workspaces/generateWorkspaceName";
 import { type FC, useCallback, useEffect, useMemo, useState } from "react";
 import {
@@ -46,7 +47,6 @@ import type {
 	ExternalAuthPollingState,
 } from "./CreateWorkspacePage";
 import { ExternalAuthButton } from "./ExternalAuthButton";
-import type { CreateWSPermissions } from "./permissions";
 
 export const Language = {
 	duplicationWarning:
@@ -69,7 +69,7 @@ export interface CreateWorkspacePageViewProps {
 	parameters: TypesGen.TemplateVersionParameter[];
 	autofillParameters: AutofillBuildParameter[];
 	presets: TypesGen.Preset[];
-	permissions: CreateWSPermissions;
+	permissions: WorkspacePermissions;
 	creatingWorkspace: boolean;
 	onCancel: () => void;
 	onSubmit: (
diff --git a/site/src/pages/CreateWorkspacePage/permissions.ts b/site/src/pages/CreateWorkspacePage/permissions.ts
deleted file mode 100644
index 07bad5031ddc2..0000000000000
--- a/site/src/pages/CreateWorkspacePage/permissions.ts
+++ /dev/null
@@ -1,16 +0,0 @@
-export const createWorkspaceChecks = (organizationId: string) =>
-	({
-		createWorkspaceForUser: {
-			object: {
-				resource_type: "workspace",
-				organization_id: organizationId,
-				owner_id: "*",
-			},
-			action: "create",
-		},
-	}) as const;
-
-export type CreateWSPermissions = Record<
-	keyof ReturnType<typeof createWorkspaceChecks>,
-	boolean
->;
diff --git a/site/src/pages/TemplatePage/TemplateLayout.tsx b/site/src/pages/TemplatePage/TemplateLayout.tsx
index 68dccd0218ae0..93d25d6f591db 100644
--- a/site/src/pages/TemplatePage/TemplateLayout.tsx
+++ b/site/src/pages/TemplatePage/TemplateLayout.tsx
@@ -1,10 +1,11 @@
 import { API } from "api/api";
-import { organizationsPermissions } from "api/queries/organizations";
+import { checkAuthorization } from "api/queries/authCheck";
 import type { AuthorizationRequest } from "api/typesGenerated";
 import { ErrorAlert } from "components/Alert/ErrorAlert";
 import { Loader } from "components/Loader/Loader";
 import { Margins } from "components/Margins/Margins";
 import { TabLink, Tabs, TabsList } from "components/Tabs/Tabs";
+import { workspacePermissionChecks } from "modules/permissions/workspaces";
 import {
 	type FC,
 	type PropsWithChildren,
@@ -78,9 +79,12 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 		queryKey: ["template", templateName],
 		queryFn: () => fetchTemplate(organizationName, templateName),
 	});
-	const orgPermissionsQuery = useQuery(
-		organizationsPermissions([organizationName]),
+	const workspacePermissionsQuery = useQuery(
+		checkAuthorization({
+			checks: workspacePermissionChecks(organizationName),
+		}),
 	);
+
 	const location = useLocation();
 	const paths = location.pathname.split("/");
 	const activeTab = paths.at(-1) === templateName ? "summary" : paths.at(-1)!;
@@ -89,7 +93,7 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 	const shouldShowInsights =
 		data?.permissions?.canUpdateTemplate || data?.permissions?.canReadInsights;
 
-	if (error || orgPermissionsQuery.error) {
+	if (error || workspacePermissionsQuery.error) {
 		return (
 			<div css={{ margin: 16 }}>
 				<ErrorAlert error={error} />
@@ -97,19 +101,17 @@ export const TemplateLayout: FC<PropsWithChildren> = ({
 		);
 	}
 
-	if (isLoading || !data || !orgPermissionsQuery.data) {
+	if (isLoading || !data || !workspacePermissionsQuery.data) {
 		return <Loader />;
 	}
 
-	const orgPermissions = orgPermissionsQuery.data?.[organizationName];
-
 	return (
 		<>
 			<TemplatePageHeader
 				template={data.template}
 				activeVersion={data.activeVersion}
 				permissions={data.permissions}
-				orgPermissions={orgPermissions}
+				workspacePermissions={workspacePermissionsQuery.data}
 				onDeleteTemplate={() => {
 					navigate("/templates");
 				}}
diff --git a/site/src/pages/TemplatePage/TemplatePageHeader.tsx b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
index 8e4a7d758464a..1d70379e75f43 100644
--- a/site/src/pages/TemplatePage/TemplatePageHeader.tsx
+++ b/site/src/pages/TemplatePage/TemplatePageHeader.tsx
@@ -31,7 +31,6 @@ import {
 import { Pill } from "components/Pill/Pill";
 import { Stack } from "components/Stack/Stack";
 import { linkToTemplate, useLinks } from "modules/navigation";
-import type { OrganizationPermissions } from "modules/permissions/organizations";
 import type { FC } from "react";
 import { useQuery } from "react-query";
 import { Link as RouterLink, useNavigate } from "react-router-dom";
@@ -159,7 +158,7 @@ export type TemplatePageHeaderProps = {
 	template: Template;
 	activeVersion: TemplateVersion;
 	permissions: AuthorizationResponse;
-	orgPermissions: OrganizationPermissions | undefined;
+	workspacePermissions: AuthorizationResponse;
 	onDeleteTemplate: () => void;
 };
 
@@ -167,7 +166,7 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
 	template,
 	activeVersion,
 	permissions,
-	orgPermissions,
+	workspacePermissions,
 	onDeleteTemplate,
 }) => {
 	const getLink = useLinks();
@@ -180,16 +179,17 @@ export const TemplatePageHeader: FC<TemplatePageHeaderProps> = ({
 			<PageHeader
 				actions={
 					<>
-						{!template.deprecated && orgPermissions?.createWorkspaces && (
-							<Button
-								variant="contained"
-								startIcon={<AddIcon />}
-								component={RouterLink}
-								to={`${templateLink}/workspace`}
-							>
-								Create Workspace
-							</Button>
-						)}
+						{!template.deprecated &&
+							workspacePermissions.createWorkspaceForUser && (
+								<Button
+									variant="contained"
+									startIcon={<AddIcon />}
+									component={RouterLink}
+									to={`${templateLink}/workspace`}
+								>
+									Create Workspace
+								</Button>
+							)}
 
 						{permissions.canUpdateTemplate && (
 							<TemplateMenu
diff --git a/site/src/pages/TemplatesPage/TemplatesPage.tsx b/site/src/pages/TemplatesPage/TemplatesPage.tsx
index 11779c0f1629b..5fa956bed66fa 100644
--- a/site/src/pages/TemplatesPage/TemplatesPage.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPage.tsx
@@ -1,4 +1,4 @@
-import { organizationsPermissions } from "api/queries/organizations";
+import { workspacePermissionsByOrganization } from "api/queries/organizations";
 import { templateExamples, templates } from "api/queries/templates";
 import { useFilter } from "components/Filter/Filter";
 import { useAuthenticated } from "contexts/auth/RequireAuth";
@@ -27,14 +27,16 @@ export const TemplatesPage: FC = () => {
 		enabled: permissions.createTemplates,
 	});
 
-	const orgPermissionsQuery = useQuery(
-		organizationsPermissions(
+	const workspacePermissionsQuery = useQuery(
+		workspacePermissionsByOrganization(
 			templatesQuery.data?.map((template) => template.organization_id),
 		),
 	);
 
 	const error =
-		templatesQuery.error || examplesQuery.error || orgPermissionsQuery.error;
+		templatesQuery.error ||
+		examplesQuery.error ||
+		workspacePermissionsQuery.error;
 
 	return (
 		<>
@@ -48,7 +50,7 @@ export const TemplatesPage: FC = () => {
 				canCreateTemplates={permissions.createTemplates}
 				examples={examplesQuery.data}
 				templates={templatesQuery.data}
-				orgPermissions={orgPermissionsQuery.data}
+				workspacePermissions={workspacePermissionsQuery.data}
 			/>
 		</>
 	);
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
index 2710765499b34..fbf3743043c08 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.tsx
@@ -40,7 +40,7 @@ import {
 import { useClickableTableRow } from "hooks/useClickableTableRow";
 import { PlusIcon } from "lucide-react";
 import { linkToTemplate, useLinks } from "modules/navigation";
-import type { OrganizationPermissions } from "modules/permissions/organizations";
+import type { WorkspacePermissions } from "modules/permissions/workspaces";
 import type { FC } from "react";
 import { Link, useNavigate } from "react-router-dom";
 import { createDayString } from "utils/createDayString";
@@ -88,13 +88,13 @@ const TemplateHelpTooltip: FC = () => {
 interface TemplateRowProps {
 	showOrganizations: boolean;
 	template: Template;
-	orgPermissions: Record<string, OrganizationPermissions> | undefined;
+	workspacePermissions: Record<string, WorkspacePermissions> | undefined;
 }
 
 const TemplateRow: FC<TemplateRowProps> = ({
 	showOrganizations,
 	template,
-	orgPermissions,
+	workspacePermissions,
 }) => {
 	const getLink = useLinks();
 	const templatePageLink = getLink(
@@ -159,7 +159,8 @@ const TemplateRow: FC<TemplateRowProps> = ({
 			<TableCell css={styles.actionCell}>
 				{template.deprecated ? (
 					<DeprecatedBadge />
-				) : orgPermissions?.[template.organization_id]?.createWorkspaces ? (
+				) : workspacePermissions?.[template.organization_id]
+						?.createWorkspaceForUser ? (
 					<MuiButton
 						size="small"
 						css={styles.actionButton}
@@ -186,7 +187,7 @@ export interface TemplatesPageViewProps {
 	canCreateTemplates: boolean;
 	examples: TemplateExample[] | undefined;
 	templates: Template[] | undefined;
-	orgPermissions: Record<string, OrganizationPermissions> | undefined;
+	workspacePermissions: Record<string, WorkspacePermissions> | undefined;
 }
 
 export const TemplatesPageView: FC<TemplatesPageViewProps> = ({
@@ -196,7 +197,7 @@ export const TemplatesPageView: FC<TemplatesPageViewProps> = ({
 	canCreateTemplates,
 	examples,
 	templates,
-	orgPermissions,
+	workspacePermissions,
 }) => {
 	const isLoading = !templates;
 	const isEmpty = templates && templates.length === 0;
@@ -258,7 +259,7 @@ export const TemplatesPageView: FC<TemplatesPageViewProps> = ({
 									key={template.id}
 									showOrganizations={showOrganizations}
 									template={template}
-									orgPermissions={orgPermissions}
+									workspacePermissions={workspacePermissions}
 								/>
 							))
 						)}
diff --git a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
index c22de18f4ed4d..62fb8c1132200 100644
--- a/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
+++ b/site/src/pages/WorkspacesPage/WorkspacesPage.tsx
@@ -1,4 +1,4 @@
-import { organizationsPermissions } from "api/queries/organizations";
+import { workspacePermissionsByOrganization } from "api/queries/organizations";
 import { templates } from "api/queries/templates";
 import type { Workspace } from "api/typesGenerated";
 import { useFilter } from "components/Filter/Filter";
@@ -46,7 +46,7 @@ const WorkspacesPage: FC = () => {
 	const templatesQuery = useQuery(templates());
 
 	const orgPermissionsQuery = useQuery(
-		organizationsPermissions(
+		workspacePermissionsByOrganization(
 			templatesQuery.data?.map((template) => template.organization_id),
 		),
 	);
@@ -59,7 +59,7 @@ const WorkspacesPage: FC = () => {
 
 		return templatesQuery.data.filter((template) => {
 			const orgPermission = orgPermissionsQuery.data[template.organization_id];
-			return orgPermission?.createWorkspaces;
+			return orgPermission?.createWorkspaceForUser;
 		});
 	}, [templatesQuery.data, orgPermissionsQuery.data]);
 
diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
index 344a2d0735f8d..a298dea4ffd9d 100644
--- a/site/src/testHelpers/entities.ts
+++ b/site/src/testHelpers/entities.ts
@@ -2922,7 +2922,6 @@ export const MockOrganizationPermissions: OrganizationPermissions = {
 	viewProvisionerJobs: true,
 	viewIdpSyncSettings: true,
 	editIdpSyncSettings: true,
-	createWorkspaces: true,
 };
 
 export const MockNoOrganizationPermissions: OrganizationPermissions = {
@@ -2941,7 +2940,6 @@ export const MockNoOrganizationPermissions: OrganizationPermissions = {
 	viewProvisionerJobs: false,
 	viewIdpSyncSettings: false,
 	editIdpSyncSettings: false,
-	createWorkspaces: false,
 };
 
 export const MockDeploymentConfig: DeploymentConfig = {

From 3ecc9d9a3f1314e986280db003b240a0d247302f Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Wed, 2 Apr 2025 10:14:18 +0000
Subject: [PATCH 12/12] fix: update storybook testsw

---
 .../TemplatePage/TemplatePageHeader.stories.tsx  | 11 +++++++++++
 .../TemplatesPage/TemplatesPageView.stories.tsx  | 16 ++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/site/src/pages/TemplatePage/TemplatePageHeader.stories.tsx b/site/src/pages/TemplatePage/TemplatePageHeader.stories.tsx
index e7bf7db389666..4acd28446631f 100644
--- a/site/src/pages/TemplatePage/TemplatePageHeader.stories.tsx
+++ b/site/src/pages/TemplatePage/TemplatePageHeader.stories.tsx
@@ -13,6 +13,9 @@ const meta: Meta<typeof TemplatePageHeader> = {
 		permissions: {
 			canUpdateTemplate: true,
 		},
+		workspacePermissions: {
+			createWorkspaceForUser: true,
+		},
 	},
 };
 
@@ -29,6 +32,14 @@ export const CanNotUpdate: Story = {
 	},
 };
 
+export const CannotCreateWorkspace: Story = {
+	args: {
+		workspacePermissions: {
+			createWorkspaceForUser: false,
+		},
+	},
+};
+
 export const Deprecated: Story = {
 	args: {
 		template: {
diff --git a/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx b/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
index 7572f39b4b365..bed6b72c5d719 100644
--- a/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
+++ b/site/src/pages/TemplatesPage/TemplatesPageView.stories.tsx
@@ -74,6 +74,11 @@ export const WithTemplates: Story = {
 			},
 		],
 		examples: [],
+		workspacePermissions: {
+			[MockTemplate.organization_id]: {
+				createWorkspaceForUser: true,
+			},
+		},
 	},
 };
 
@@ -84,6 +89,17 @@ export const MultipleOrganizations: Story = {
 	},
 };
 
+export const CannotCreateWorkspaces: Story = {
+	args: {
+		...WithTemplates.args,
+		workspacePermissions: {
+			[MockTemplate.organization_id]: {
+				createWorkspaceForUser: false,
+			},
+		},
+	},
+};
+
 export const WithFilteredAllTemplates: Story = {
 	args: {
 		...WithTemplates.args,