coder
diff --git a/‎coderd/audit/table.go
Lines changed: 1 addition & 0 deletions b/‎coderd/audit/table.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 12 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎coderd/database/databasefake/databasefake.go
Lines changed: 79 additions & 0 deletions b/‎coderd/database/databasefake/databasefake.go
Lines changed: 79 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000008_rbac_roles.down.sql
Lines changed: 2 additions & 0 deletions b/‎coderd/database/migrations/000008_rbac_roles.down.sql
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000008_rbac_roles.up.sql
Lines changed: 18 additions & 0 deletions b/‎coderd/database/migrations/000008_rbac_roles.up.sql
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/models.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 3 additions & 0 deletions b/‎coderd/database/querier.go
Lines changed: 3 additions & 0 deletions
@@ -42,6 +42,7 @@ var AuditableResources = auditMap(map[any]map[string]Action{
 		"created_at":      ActionIgnore, // Never changes.
 		"updated_at":      ActionIgnore, // Changes, but is implicit and not helpful in a diff.
 		"status":          ActionTrack,  // A user can update another user status
+		"rbac_roles":      ActionTrack,  // A user's roles are mutable
 	},
 	&database.Workspace{}: {
 		"id":                 ActionIgnore, // Never changes.
 
@@ -120,6 +120,14 @@ func New(options *Options) (http.Handler, func()) {
 					r.Get("/", api.workspacesByOwner)
 				})
 			})
+			r.Route("/members", func(r chi.Router) {
+				r.Route("/{user}", func(r chi.Router) {
+					r.Use(
+						httpmw.ExtractUserParam(options.Database),
+					)
+					r.Put("/roles", api.putMemberRoles)
+				})
+			})
 		})
 		r.Route("/parameters/{scope}/{id}", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
@@ -183,6 +191,10 @@ func New(options *Options) (http.Handler, func()) {
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
 					r.Put("/suspend", api.putUserSuspend)
+					// TODO: @emyrk Might want to move these to a /roles group instead of /user.
+					//		As we include more roles like org roles, it makes less sense to scope these here.
+					r.Put("/roles", api.putUserRoles)
+					r.Get("/roles", api.userRoles)
 					r.Get("/organizations", api.organizationsByUser)
 					r.Post("/organizations", api.postOrganizationsByUser)
 					r.Post("/keys", api.postAPIKey)
 
@@ -212,6 +212,16 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 		users = tmp
 	}
 
+	if params.Status != "" {
+		usersFilteredByStatus := make([]database.User, 0, len(users))
+		for i, user := range users {
+			if params.Status == string(user.Status) {
+				usersFilteredByStatus = append(usersFilteredByStatus, users[i])
+			}
+		}
+		users = usersFilteredByStatus
+	}
+
 	if params.OffsetOpt > 0 {
 		if int(params.OffsetOpt) > len(users)-1 {
 			return []database.User{}, nil
@@ -225,6 +235,7 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 		}
 		users = users[:params.LimitOpt]
 	}
+
 	tmp := make([]database.User, len(users))
 	copy(tmp, users)
 
@@ -732,6 +743,43 @@ func (q *fakeQuerier) GetOrganizationIDsByMemberIDs(_ context.Context, ids []uui
 	return getOrganizationIDsByMemberIDRows, nil
 }
 
+func (q *fakeQuerier) GetOrganizationMembershipsByUserID(_ context.Context, userID uuid.UUID) ([]database.OrganizationMember, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	var memberships []database.OrganizationMember
+	for _, organizationMember := range q.organizationMembers {
+		mem := organizationMember
+		if mem.UserID != userID {
+			continue
+		}
+		memberships = append(memberships, mem)
+	}
+	return memberships, nil
+}
+
+func (q *fakeQuerier) UpdateMemberRoles(_ context.Context, arg database.UpdateMemberRolesParams) (database.OrganizationMember, error) {
+	for i, mem := range q.organizationMembers {
+		if mem.UserID == arg.UserID && mem.OrganizationID == arg.OrgID {
+			uniqueRoles := make([]string, 0, len(arg.GrantedRoles))
+			exist := make(map[string]struct{})
+			for _, r := range arg.GrantedRoles {
+				if _, ok := exist[r]; ok {
+					continue
+				}
+				exist[r] = struct{}{}
+				uniqueRoles = append(uniqueRoles, r)
+			}
+			sort.Strings(uniqueRoles)
+
+			mem.Roles = uniqueRoles
+			q.organizationMembers[i] = mem
+			return mem, nil
+		}
+	}
+	return database.OrganizationMember{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) GetProvisionerDaemons(_ context.Context) ([]database.ProvisionerDaemon, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1162,11 +1210,42 @@ func (q *fakeQuerier) InsertUser(_ context.Context, arg database.InsertUserParam
 		UpdatedAt:      arg.UpdatedAt,
 		Username:       arg.Username,
 		Status:         database.UserStatusActive,
+		RBACRoles:      arg.RBACRoles,
 	}
 	q.users = append(q.users, user)
 	return user, nil
 }
 
+func (q *fakeQuerier) UpdateUserRoles(_ context.Context, arg database.UpdateUserRolesParams) (database.User, error) {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	for index, user := range q.users {
+		if user.ID != arg.ID {
+			continue
+		}
+
+		// Set new roles
+		user.RBACRoles = arg.GrantedRoles
+		// Remove duplicates and sort
+		uniqueRoles := make([]string, 0, len(user.RBACRoles))
+		exist := make(map[string]struct{})
+		for _, r := range user.RBACRoles {
+			if _, ok := exist[r]; ok {
+				continue
+			}
+			exist[r] = struct{}{}
+			uniqueRoles = append(uniqueRoles, r)
+		}
+		sort.Strings(uniqueRoles)
+		user.RBACRoles = uniqueRoles
+
+		q.users[index] = user
+		return user, nil
+	}
+	return database.User{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) UpdateUserProfile(_ context.Context, arg database.UpdateUserProfileParams) (database.User, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -0,0 +1,2 @@
+ALTER TABLE ONLY users
+	DROP COLUMN IF EXISTS rbac_roles;
@@ -0,0 +1,18 @@
+ALTER TABLE ONLY users
+	ADD COLUMN IF NOT EXISTS rbac_roles text[] DEFAULT '{}' NOT NULL;
+
+-- All users are site members. So give them the standard role.
+-- Also give them membership to the first org we retrieve. We should only have
+-- 1 organization at this point in the product.
+UPDATE
+    users
+SET
+    rbac_roles = ARRAY ['member', 'organization-member:' || (SELECT id FROM organizations LIMIT 1)];
+
+-- Give the first user created the admin role
+UPDATE
+	users
+SET
+	rbac_roles = rbac_roles || ARRAY ['admin']
+WHERE
+	id = (SELECT id FROM users ORDER BY created_at ASC LIMIT 1)
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ALTER TABLE ONLY users`
	`2`	`+ DROP COLUMN IF EXISTS rbac_roles;`