Currently the authorization flow for starting/stopping/deleting a workspace requires the subject to have the workspace.update permission.
So far it hasn't been a (big) problem because subjects doing those actions usually have that permission.
With workspace sharing, however, this becomes an easy bug to run into: sharing a workspace using the use role grants the workspace.start and workspace.stop permissions (but not the workspace.update one).
Currently the authorization flow for starting/stopping/deleting a workspace requires the subject to have the workspace.update permission.
So far it hasn't been a (big) problem because subjects doing those actions usually have that permission.
With workspace sharing, however, this becomes an easy bug to run into: sharing a workspace using the
userole grants the workspace.start and workspace.stop permissions (but not the workspace.update one).