From 06229796a259068ccc900f08825cf5b6bf6892b7 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Fri, 7 Mar 2025 23:02:54 +0000
Subject: [PATCH 1/2] fix: use correct permissions for CRUD of custom roles

---
 site/src/modules/permissions/index.ts         |  3 +
 site/src/modules/permissions/organizations.ts | 14 +++++
 .../CustomRolesPage/CreateEditRolePage.tsx    |  5 +-
 .../CreateEditRolePageView.stories.tsx        |  2 -
 .../CreateEditRolePageView.tsx                | 60 +++++++++----------
 .../CustomRolesPage/CustomRolesPage.tsx       |  3 +-
 .../CustomRolesPageView.stories.tsx           |  4 +-
 .../CustomRolesPage/CustomRolesPageView.tsx   | 59 +++++++++++-------
 site/src/testHelpers/entities.ts              |  4 ++
 9 files changed, 92 insertions(+), 62 deletions(-)

diff --git a/site/src/modules/permissions/index.ts b/site/src/modules/permissions/index.ts
index 300edec9e52db..98356aa34b3d9 100644
--- a/site/src/modules/permissions/index.ts
+++ b/site/src/modules/permissions/index.ts
@@ -6,6 +6,9 @@ export type Permissions = {
 
 export type PermissionName = keyof typeof permissionChecks;
 
+/**
+ * Site-wide permission checks
+ */
 export const permissionChecks = {
 	viewAllUsers: {
 		object: {
diff --git a/site/src/modules/permissions/organizations.ts b/site/src/modules/permissions/organizations.ts
index 1b79e11e68ca0..0a7cb505c2a4b 100644
--- a/site/src/modules/permissions/organizations.ts
+++ b/site/src/modules/permissions/organizations.ts
@@ -73,6 +73,20 @@ export const organizationPermissionChecks = (organizationId: string) =>
 			},
 			action: "create",
 		},
+		updateOrgRoles: {
+			object: {
+				resource_type: "assign_org_role",
+				organization_id: organizationId,
+			},
+			action: "update",
+		},
+		deleteOrgRoles: {
+			object: {
+				resource_type: "assign_org_role",
+				organization_id: organizationId,
+			},
+			action: "delete",
+		},
 		viewProvisioners: {
 			object: {
 				resource_type: "provisioner_daemon",
diff --git a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx
index 0d702b400e69d..9e65003a69650 100644
--- a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx
+++ b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx
@@ -48,8 +48,8 @@ export const CreateEditRolePage: FC = () => {
 	return (
 		<RequirePermission
 			isFeatureVisible={
-				organizationPermissions.assignOrgRoles ||
-				organizationPermissions.createOrgRoles
+				(organizationPermissions.updateOrgRoles && role !== undefined) ||
+				(organizationPermissions.createOrgRoles && role === undefined)
 			}
 		>
 			<Helmet>
@@ -87,7 +87,6 @@ export const CreateEditRolePage: FC = () => {
 						: createOrganizationRoleMutation.isLoading
 				}
 				organizationName={organizationName}
-				canAssignOrgRole={organizationPermissions.assignOrgRoles}
 			/>
 		</RequirePermission>
 	);
diff --git a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.stories.tsx b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.stories.tsx
index c374aa33d51d6..931823855509f 100644
--- a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.stories.tsx
+++ b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.stories.tsx
@@ -23,7 +23,6 @@ export const Default: Story = {
 		error: undefined,
 		isLoading: false,
 		organizationName: "my-org",
-		canAssignOrgRole: true,
 	},
 };
 
@@ -81,7 +80,6 @@ export const InvalidCharsError: Story = {
 export const CannotEditRoleName: Story = {
 	args: {
 		...Default.args,
-		canAssignOrgRole: false,
 	},
 };
 
diff --git a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.tsx b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.tsx
index 9e9d7f4e41db9..717904b4bda0e 100644
--- a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.tsx
+++ b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePageView.tsx
@@ -43,7 +43,6 @@ export type CreateEditRolePageViewProps = {
 	error?: unknown;
 	isLoading: boolean;
 	organizationName: string;
-	canAssignOrgRole: boolean;
 	allResources?: boolean;
 };
 
@@ -53,7 +52,6 @@ export const CreateEditRolePageView: FC<CreateEditRolePageViewProps> = ({
 	error,
 	isLoading,
 	organizationName,
-	canAssignOrgRole,
 	allResources = false,
 }) => {
 	const navigate = useNavigate();
@@ -84,26 +82,24 @@ export const CreateEditRolePageView: FC<CreateEditRolePageViewProps> = ({
 					title={`${role ? "Edit" : "Create"} Custom Role`}
 					description="Set a name and permissions for this role."
 				/>
-				{canAssignOrgRole && (
-					<div className="flex space-x-2 items-center">
-						<Button
-							variant="outline"
-							onClick={() => {
-								navigate(`/organizations/${organizationName}/roles`);
-							}}
-						>
-							Cancel
-						</Button>
-						<Button
-							onClick={() => {
-								form.handleSubmit();
-							}}
-						>
-							<Spinner loading={isLoading} />
-							{role !== undefined ? "Save" : "Create Role"}
-						</Button>
-					</div>
-				)}
+				<div className="flex space-x-2 items-center">
+					<Button
+						variant="outline"
+						onClick={() => {
+							navigate(`/organizations/${organizationName}/roles`);
+						}}
+					>
+						Cancel
+					</Button>
+					<Button
+						onClick={() => {
+							form.handleSubmit();
+						}}
+					>
+						<Spinner loading={isLoading} />
+						{role !== undefined ? "Save" : "Create Role"}
+					</Button>
+				</div>
 			</Stack>
 
 			<VerticalForm onSubmit={form.handleSubmit}>
@@ -135,18 +131,16 @@ export const CreateEditRolePageView: FC<CreateEditRolePageViewProps> = ({
 						allResources={allResources}
 					/>
 				</FormFields>
-				{canAssignOrgRole && (
-					<FormFooter>
-						<Button onClick={onCancel} variant="outline">
-							Cancel
-						</Button>
+				<FormFooter>
+					<Button onClick={onCancel} variant="outline">
+						Cancel
+					</Button>
 
-						<Button type="submit" disabled={isLoading}>
-							<Spinner loading={isLoading} />
-							{role ? "Save role" : "Create Role"}
-						</Button>
-					</FormFooter>
-				)}
+					<Button type="submit" disabled={isLoading}>
+						<Spinner loading={isLoading} />
+						{role ? "Save role" : "Create Role"}
+					</Button>
+				</FormFooter>
 			</VerticalForm>
 		</>
 	);
diff --git a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPage.tsx b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPage.tsx
index 67d511c0665d3..fc5ec83e129a8 100644
--- a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPage.tsx
+++ b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPage.tsx
@@ -81,8 +81,9 @@ export const CustomRolesPage: FC = () => {
 					builtInRoles={builtInRoles}
 					customRoles={customRoles}
 					onDeleteRole={setRoleToDelete}
-					canAssignOrgRole={organizationPermissions?.assignOrgRoles ?? false}
 					canCreateOrgRole={organizationPermissions?.createOrgRoles ?? false}
+					canUpdateOrgRole={organizationPermissions?.updateOrgRoles ?? false}
+					canDeleteOrgRole={organizationPermissions?.deleteOrgRoles ?? false}
 					isCustomRolesEnabled={isCustomRolesEnabled}
 				/>
 
diff --git a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.stories.tsx b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.stories.tsx
index 79319c888647f..14ffbfa85bc90 100644
--- a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.stories.tsx
+++ b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.stories.tsx
@@ -11,7 +11,6 @@ const meta: Meta<typeof CustomRolesPageView> = {
 	args: {
 		builtInRoles: [MockRoleWithOrgPermissions],
 		customRoles: [MockRoleWithOrgPermissions],
-		canAssignOrgRole: true,
 		canCreateOrgRole: true,
 		isCustomRolesEnabled: true,
 	},
@@ -31,7 +30,7 @@ export const NotEnabled: Story = {
 export const NotEnabledEmptyTable: Story = {
 	args: {
 		customRoles: [],
-		canAssignOrgRole: true,
+		canCreateOrgRole: true,
 		isCustomRolesEnabled: false,
 	},
 };
@@ -58,7 +57,6 @@ export const EmptyDisplayName: Story = {
 export const EmptyTableUserWithoutPermission: Story = {
 	args: {
 		customRoles: [],
-		canAssignOrgRole: false,
 		canCreateOrgRole: false,
 	},
 };
diff --git a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.tsx b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.tsx
index c770d7396611d..d2eebac62e5f4 100644
--- a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.tsx
+++ b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CustomRolesPageView.tsx
@@ -34,8 +34,9 @@ interface CustomRolesPageViewProps {
 	builtInRoles: AssignableRoles[] | undefined;
 	customRoles: AssignableRoles[] | undefined;
 	onDeleteRole: (role: Role) => void;
-	canAssignOrgRole: boolean;
 	canCreateOrgRole: boolean;
+	canUpdateOrgRole: boolean;
+	canDeleteOrgRole: boolean;
 	isCustomRolesEnabled: boolean;
 }
 
@@ -43,8 +44,9 @@ export const CustomRolesPageView: FC<CustomRolesPageViewProps> = ({
 	builtInRoles,
 	customRoles,
 	onDeleteRole,
-	canAssignOrgRole,
 	canCreateOrgRole,
+	canUpdateOrgRole,
+	canDeleteOrgRole,
 	isCustomRolesEnabled,
 }) => {
 	return (
@@ -77,7 +79,9 @@ export const CustomRolesPageView: FC<CustomRolesPageViewProps> = ({
 			<RoleTable
 				roles={customRoles}
 				isCustomRolesEnabled={isCustomRolesEnabled}
-				canAssignOrgRole={canAssignOrgRole}
+				canCreateOrgRole={canCreateOrgRole}
+				canUpdateOrgRole={canUpdateOrgRole}
+				canDeleteOrgRole={canDeleteOrgRole}
 				onDeleteRole={onDeleteRole}
 			/>
 			<span>
@@ -90,7 +94,9 @@ export const CustomRolesPageView: FC<CustomRolesPageViewProps> = ({
 			<RoleTable
 				roles={builtInRoles}
 				isCustomRolesEnabled={isCustomRolesEnabled}
-				canAssignOrgRole={canAssignOrgRole}
+				canCreateOrgRole={canCreateOrgRole}
+				canUpdateOrgRole={canUpdateOrgRole}
+				canDeleteOrgRole={canDeleteOrgRole}
 				onDeleteRole={onDeleteRole}
 			/>
 		</Stack>
@@ -100,15 +106,19 @@ export const CustomRolesPageView: FC<CustomRolesPageViewProps> = ({
 interface RoleTableProps {
 	roles: AssignableRoles[] | undefined;
 	isCustomRolesEnabled: boolean;
-	canAssignOrgRole: boolean;
+	canCreateOrgRole: boolean;
+	canUpdateOrgRole: boolean;
+	canDeleteOrgRole: boolean;
 	onDeleteRole: (role: Role) => void;
 }
 
 const RoleTable: FC<RoleTableProps> = ({
 	roles,
 	isCustomRolesEnabled,
+	canCreateOrgRole,
+	canUpdateOrgRole,
+	canDeleteOrgRole,
 	onDeleteRole,
-	canAssignOrgRole,
 }) => {
 	const isLoading = roles === undefined;
 	const isEmpty = Boolean(roles && roles.length === 0);
@@ -134,14 +144,14 @@ const RoleTable: FC<RoleTableProps> = ({
 									<EmptyState
 										message="No custom roles yet"
 										description={
-											canAssignOrgRole && isCustomRolesEnabled
+											canCreateOrgRole && isCustomRolesEnabled
 												? "Create your first custom role"
 												: !isCustomRolesEnabled
 													? "Upgrade to a premium license to create a custom role"
 													: "You don't have permission to create a custom role"
 										}
 										cta={
-											canAssignOrgRole &&
+											canCreateOrgRole &&
 											isCustomRolesEnabled && (
 												<Button
 													component={RouterLink}
@@ -165,7 +175,8 @@ const RoleTable: FC<RoleTableProps> = ({
 									<RoleRow
 										key={role.name}
 										role={role}
-										canAssignOrgRole={canAssignOrgRole}
+										canUpdateOrgRole={canUpdateOrgRole}
+										canDeleteOrgRole={canDeleteOrgRole}
 										onDelete={() => onDeleteRole(role)}
 									/>
 								))}
@@ -179,11 +190,17 @@ const RoleTable: FC<RoleTableProps> = ({
 
 interface RoleRowProps {
 	role: AssignableRoles;
+	canUpdateOrgRole: boolean;
+	canDeleteOrgRole: boolean;
 	onDelete: () => void;
-	canAssignOrgRole: boolean;
 }
 
-const RoleRow: FC<RoleRowProps> = ({ role, onDelete, canAssignOrgRole }) => {
+const RoleRow: FC<RoleRowProps> = ({
+	role,
+	onDelete,
+	canUpdateOrgRole,
+	canDeleteOrgRole,
+}) => {
 	const navigate = useNavigate();
 
 	return (
@@ -195,20 +212,22 @@ const RoleRow: FC<RoleRowProps> = ({ role, onDelete, canAssignOrgRole }) => {
 			</TableCell>
 
 			<TableCell>
-				{!role.built_in && (
+				{!role.built_in && (canUpdateOrgRole || canDeleteOrgRole) && (
 					<MoreMenu>
 						<MoreMenuTrigger>
 							<ThreeDotsButton />
 						</MoreMenuTrigger>
 						<MoreMenuContent>
-							<MoreMenuItem
-								onClick={() => {
-									navigate(role.name);
-								}}
-							>
-								Edit
-							</MoreMenuItem>
-							{canAssignOrgRole && (
+							{canUpdateOrgRole && (
+								<MoreMenuItem
+									onClick={() => {
+										navigate(role.name);
+									}}
+								>
+									Edit
+								</MoreMenuItem>
+							)}
+							{canDeleteOrgRole && (
 								<MoreMenuItem danger onClick={onDelete}>
 									Delete&hellip;
 								</MoreMenuItem>
diff --git a/site/src/testHelpers/entities.ts b/site/src/testHelpers/entities.ts
index 69f2544192ee4..d2125baab39d6 100644
--- a/site/src/testHelpers/entities.ts
+++ b/site/src/testHelpers/entities.ts
@@ -2900,6 +2900,8 @@ export const MockOrganizationPermissions: OrganizationPermissions = {
 	viewOrgRoles: true,
 	createOrgRoles: true,
 	assignOrgRoles: true,
+	updateOrgRoles: true,
+	deleteOrgRoles: true,
 	viewProvisioners: true,
 	viewProvisionerJobs: true,
 	viewIdpSyncSettings: true,
@@ -2916,6 +2918,8 @@ export const MockNoOrganizationPermissions: OrganizationPermissions = {
 	viewOrgRoles: false,
 	createOrgRoles: false,
 	assignOrgRoles: false,
+	updateOrgRoles: false,
+	deleteOrgRoles: false,
 	viewProvisioners: false,
 	viewProvisionerJobs: false,
 	viewIdpSyncSettings: false,

From 72cfd9cb3b1d8f1e19113a1eb906fbbd184a5dc9 Mon Sep 17 00:00:00 2001
From: Jaayden Halko <jaayden.halko@gmail.com>
Date: Mon, 10 Mar 2025 20:44:09 +0000
Subject: [PATCH 2/2] chore: improve readability

---
 .../CustomRolesPage/CreateEditRolePage.tsx                   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx
index 9e65003a69650..271018da7eead 100644
--- a/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx
+++ b/site/src/pages/OrganizationSettingsPage/CustomRolesPage/CreateEditRolePage.tsx
@@ -48,8 +48,9 @@ export const CreateEditRolePage: FC = () => {
 	return (
 		<RequirePermission
 			isFeatureVisible={
-				(organizationPermissions.updateOrgRoles && role !== undefined) ||
-				(organizationPermissions.createOrgRoles && role === undefined)
+				role
+					? organizationPermissions.updateOrgRoles
+					: organizationPermissions.createOrgRoles
 			}
 		>
 			<Helmet>

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16854.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16854.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16854.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16854.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>