coder
diff --git a/‎coderd/authorize.go
Lines changed: 2 additions & 2 deletions b/‎coderd/authorize.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/databasefake/databasefake.go
Lines changed: 5 additions & 3 deletions b/‎coderd/database/databasefake/databasefake.go
Lines changed: 5 additions & 3 deletions
diff --git a/‎coderd/database/migrations/000016_drop_member_roles.down.sql
Lines changed: 11 additions & 0 deletions b/‎coderd/database/migrations/000016_drop_member_roles.down.sql
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000016_drop_member_roles.up.sql
Lines changed: 11 additions & 0 deletions b/‎coderd/database/migrations/000016_drop_member_roles.up.sql
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 3 additions & 1 deletion b/‎coderd/database/querier.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 17 additions & 9 deletions b/‎coderd/database/queries.sql.go
Lines changed: 17 additions & 9 deletions
diff --git a/‎coderd/database/queries/users.sql
Lines changed: 13 additions & 5 deletions b/‎coderd/database/queries/users.sql
Lines changed: 13 additions & 5 deletions
diff --git a/‎coderd/httpmw/apikey.go
Lines changed: 14 additions & 1 deletion b/‎coderd/httpmw/apikey.go
Lines changed: 14 additions & 1 deletion
diff --git a/‎coderd/httpmw/authorize.go
Lines changed: 0 additions & 40 deletions b/‎coderd/httpmw/authorize.go
Lines changed: 0 additions & 40 deletions
diff --git a/‎coderd/httpmw/authorize_test.go
Lines changed: 8 additions & 8 deletions b/‎coderd/httpmw/authorize_test.go
Lines changed: 8 additions & 8 deletions
diff --git a/‎coderd/members.go
Lines changed: 3 additions & 1 deletion b/‎coderd/members.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/organizations.go
Lines changed: 1 addition & 3 deletions b/‎coderd/organizations.go
Lines changed: 1 addition & 3 deletions
diff --git a/‎coderd/rbac/builtin.go
Lines changed: 2 additions & 2 deletions b/‎coderd/rbac/builtin.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/rbac/role.go
Lines changed: 3 additions & 1 deletion b/‎coderd/rbac/role.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/roles.go
Lines changed: 5 additions & 1 deletion b/‎coderd/roles.go
Lines changed: 5 additions & 1 deletion
@@ -13,12 +13,12 @@ import (
 )
 
 func AuthorizeFilter[O rbac.Objecter](api *API, r *http.Request, action rbac.Action, objects []O) []O {
-	roles := httpmw.UserRoles(r)
+	roles := httpmw.AuthorizationUserRoles(r)
 	return rbac.Filter(r.Context(), api.Authorizer, roles.ID.String(), roles.Roles, action, objects)
 }
 
 func (api *API) Authorize(rw http.ResponseWriter, r *http.Request, action rbac.Action, object rbac.Objecter) bool {
-	roles := httpmw.UserRoles(r)
+	roles := httpmw.AuthorizationUserRoles(r)
 	err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())
 	if err != nil {
 		httpapi.Write(rw, http.StatusForbidden, httpapi.Response{
 
@@ -281,7 +281,7 @@ func CreateAnotherUser(t *testing.T, client *codersdk.Client, organizationID uui
 			organizationID, err := uuid.Parse(orgID)
 			require.NoError(t, err, fmt.Sprintf("parse org id %q", orgID))
 			_, err = client.UpdateOrganizationMemberRoles(context.Background(), organizationID, user.ID.String(),
-				codersdk.UpdateRoles{Roles: append(roles, rbac.RoleOrgMember(organizationID))})
+				codersdk.UpdateRoles{Roles: roles})
 			require.NoError(t, err, "update org membership roles")
 		}
 	}
 
@@ -276,7 +276,7 @@ func (q *fakeQuerier) GetUsersByIDs(_ context.Context, ids []uuid.UUID) ([]datab
 	return users, nil
 }
 
-func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (database.GetAllUserRolesRow, error) {
+func (q *fakeQuerier) GetAuthorizationUserRoles(_ context.Context, userID uuid.UUID) (database.GetAuthorizationUserRolesRow, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
@@ -286,6 +286,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data
 		if u.ID == userID {
 			u := u
 			roles = append(roles, u.RBACRoles...)
+			roles = append(roles, "member")
 			user = &u
 			break
 		}
@@ -294,14 +295,15 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data
 	for _, mem := range q.organizationMembers {
 		if mem.UserID == userID {
 			roles = append(roles, mem.Roles...)
+			roles = append(roles, "organization-member:"+mem.OrganizationID.String())
 		}
 	}
 
 	if user == nil {
-		return database.GetAllUserRolesRow{}, sql.ErrNoRows
+		return database.GetAuthorizationUserRolesRow{}, sql.ErrNoRows
 	}
 
-	return database.GetAllUserRolesRow{
+	return database.GetAuthorizationUserRolesRow{
 		ID:       userID,
 		Username: user.Username,
 		Status:   user.Status,
 
@@ -0,0 +1,11 @@
+--- Remove the now implied 'member' role.
+UPDATE
+	users
+SET
+	rbac_roles = array_append(rbac_roles, 'member');
+
+--- Remove the now implied 'organization-member' role.
+UPDATE
+	organization_members
+SET
+	roles = array_append(roles, 'organization-member:'||organization_id::text);
@@ -0,0 +1,11 @@
+--- Remove the now implied 'member' role.
+UPDATE
+	users
+SET
+	rbac_roles = array_remove(rbac_roles, 'member');
+
+--- Remove the now implied 'organization-member' role.
+UPDATE
+	organization_members
+SET
+	roles = array_remove(roles, 'organization-member:'||organization_id::text);
@@ -134,12 +134,20 @@ WHERE
 	id = $1 RETURNING *;
 
 
--- name: GetAllUserRoles :one
+-- name: GetAuthorizationUserRoles :one
+-- This function returns roles for authorization purposes. Implied member roles
+-- are included.
 SELECT
-    -- username is returned just to help for logging purposes
-    -- status is used to enforce 'suspended' users, as all roles are ignored
-    --	when suspended.
-	id, username, status, array_cat(users.rbac_roles, organization_members.roles) :: text[] AS roles
+	-- username is returned just to help for logging purposes
+	-- status is used to enforce 'suspended' users, as all roles are ignored
+	--	when suspended.
+	id, username, status,
+	array_cat(
+		-- All users are members
+			array_append(users.rbac_roles, 'member'),
+		-- All org_members get the org-member role for their orgs
+			array_append(organization_members.roles, 'organization-member:'||organization_members.organization_id::text)) :: text[]
+	    AS roles
 FROM
 	users
 LEFT JOIN organization_members
 
@@ -31,6 +31,19 @@ func APIKey(r *http.Request) database.APIKey {
 	return apiKey
 }
 
+// User roles are the 'subject' field of Authorize()
+type userRolesKey struct{}
+
+// AuthorizationUserRoles returns the roles used for authorization.
+// Comes from the ExtractAPIKey handler.
+func AuthorizationUserRoles(r *http.Request) database.GetAuthorizationUserRolesRow {
+	apiKey, ok := r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)
+	if !ok {
+		panic("developer error: user roles middleware not provided")
+	}
+	return apiKey
+}
+
 // OAuth2Configs is a collection of configurations for OAuth-based authentication.
 // This should be extended to support other authentication types in the future.
 type OAuth2Configs struct {
@@ -178,7 +191,7 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h
 			// If the key is valid, we also fetch the user roles and status.
 			// The roles are used for RBAC authorize checks, and the status
 			// is to block 'suspended' users from accessing the platform.
-			roles, err := db.GetAllUserRoles(r.Context(), key.UserID)
+			roles, err := db.GetAuthorizationUserRoles(r.Context(), key.UserID)
 			if err != nil {
 				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
 					Message: "roles not found",
 
@@ -31,23 +31,23 @@ func TestExtractUserRoles(t *testing.T) {
 		{
 			Name: "Member",
 			AddUser: func(db database.Store) (database.User, []string, string) {
-				roles := []string{rbac.RoleMember()}
+				roles := []string{}
 				user, token := addUser(t, db, roles...)
-				return user, roles, token
+				return user, append(roles, rbac.RoleMember()), token
 			},
 		},
 		{
 			Name: "Admin",
 			AddUser: func(db database.Store) (database.User, []string, string) {
-				roles := []string{rbac.RoleMember(), rbac.RoleAdmin()}
+				roles := []string{rbac.RoleAdmin()}
 				user, token := addUser(t, db, roles...)
-				return user, roles, token
+				return user, append(roles, rbac.RoleMember()), token
 			},
 		},
 		{
 			Name: "OrgMember",
 			AddUser: func(db database.Store) (database.User, []string, string) {
-				roles := []string{rbac.RoleMember()}
+				roles := []string{}
 				user, token := addUser(t, db, roles...)
 				org, err := db.InsertOrganization(context.Background(), database.InsertOrganizationParams{
 					ID:          uuid.New(),
@@ -58,7 +58,7 @@ func TestExtractUserRoles(t *testing.T) {
 				})
 				require.NoError(t, err)
 
-				orgRoles := []string{rbac.RoleOrgMember(org.ID)}
+				orgRoles := []string{}
 				_, err = db.InsertOrganizationMember(context.Background(), database.InsertOrganizationMemberParams{
 					OrganizationID: org.ID,
 					UserID:         user.ID,
@@ -67,7 +67,7 @@ func TestExtractUserRoles(t *testing.T) {
 					Roles:          orgRoles,
 				})
 				require.NoError(t, err)
-				return user, append(roles, orgRoles...), token
+				return user, append(roles, append(orgRoles, rbac.RoleMember(), rbac.RoleOrgMember(org.ID))...), token
 			},
 		},
 	}
@@ -86,7 +86,7 @@ func TestExtractUserRoles(t *testing.T) {
 				httpmw.ExtractAPIKey(db, &httpmw.OAuth2Configs{}),
 			)
 			rtr.Get("/", func(_ http.ResponseWriter, r *http.Request) {
-				roles := httpmw.UserRoles(r)
+				roles := httpmw.AuthorizationUserRoles(r)
 				require.ElementsMatch(t, user.ID, roles.ID)
 				require.ElementsMatch(t, expRoles, roles.Roles)
 			})
 
@@ -34,7 +34,9 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	added, removed := rbac.ChangeRoleSet(member.Roles, params.Roles)
+	// The org-member role is always implied.
+	impliedTypes := append(params.Roles, rbac.RoleOrgMember(organization.ID))
+	added, removed := rbac.ChangeRoleSet(member.Roles, impliedTypes)
 	for _, roleName := range added {
 		// Assigning a role requires the create permission.
 		if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {
 
@@ -73,13 +73,11 @@ func (api *API) postOrganizations(rw http.ResponseWriter, r *http.Request) {
 			CreatedAt:      database.Now(),
 			UpdatedAt:      database.Now(),
 			Roles: []string{
-				// Also assign member role incase they get demoted from admin
-				rbac.RoleOrgMember(organization.ID),
 				rbac.RoleOrgAdmin(organization.ID),
 			},
 		})
 		if err != nil {
-			return xerrors.Errorf("create organization member: %w", err)
+			return xerrors.Errorf("create organization admin: %w", err)
 		}
 		return nil
 	})
 
@@ -63,7 +63,7 @@ var (
 		member: func(_ string) Role {
 			return Role{
 				Name:        member,
-				DisplayName: "Member",
+				DisplayName: "",
 				Site: permissions(map[Object][]Action{
 					// All users can read all other users and know they exist.
 					ResourceUser:           {ActionRead},
@@ -116,7 +116,7 @@ var (
 		orgMember: func(organizationID string) Role {
 			return Role{
 				Name:        roleName(orgMember, organizationID),
-				DisplayName: "Organization Member",
+				DisplayName: "",
 				Org: map[string][]Permission{
 					organizationID: {
 						{
 
@@ -17,7 +17,9 @@ type Permission struct {
 // Users of this package should instead **only** use the role names, and
 // this package will expand the role names into their json payloads.
 type Role struct {
-	Name        string       `json:"name"`
+	Name string `json:"name"`
+	// DisplayName is used for UI purposes. If the role has no display name,
+	// that means the UI should never display it.
 	DisplayName string       `json:"display_name"`
 	Site        []Permission `json:"site"`
 	// Org is a map of orgid to permissions. We represent orgid as a string.
 
@@ -45,7 +45,7 @@ func (api *API) checkPermissions(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	// use the roles of the user specified, not the person making the request.
-	roles, err := api.Database.GetAllUserRoles(r.Context(), user.ID)
+	roles, err := api.Database.GetAuthorizationUserRoles(r.Context(), user.ID)
 	if err != nil {
 		httpapi.Forbidden(rw)
 		return
@@ -91,6 +91,10 @@ func convertRole(role rbac.Role) codersdk.Role {
 func convertRoles(roles []rbac.Role) []codersdk.Role {
 	converted := make([]codersdk.Role, 0, len(roles))
 	for _, role := range roles {
+		// Roles without display names should never be shown to the ui.
+		if role.DisplayName == "" {
+			continue
+		}
 		converted = append(converted, convertRole(role))
 	}
 	return converted
Original file line number	Diff line number	Diff line change
`@@ -13,12 +13,12 @@ import (`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`func AuthorizeFilter[O rbac.Objecter](api API, r http.Request, action rbac.Action, objects []O) []O {`
`16`		`- roles := httpmw.UserRoles(r)`
	`16`	`+ roles := httpmw.AuthorizationUserRoles(r)`
`17`	`17`	`return rbac.Filter(r.Context(), api.Authorizer, roles.ID.String(), roles.Roles, action, objects)`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`func (api API) Authorize(rw http.ResponseWriter, r http.Request, action rbac.Action, object rbac.Objecter) bool {`
`21`		`- roles := httpmw.UserRoles(r)`
	`21`	`+ roles := httpmw.AuthorizationUserRoles(r)`
`22`	`22`	`err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())`
`23`	`23`	`if err != nil {`
`24`	`24`	`httpapi.Write(rw, http.StatusForbidden, httpapi.Response{`
Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ func CreateAnotherUser(t testing.T, client codersdk.Client, organizationID uui`
`281`	`281`	`organizationID, err := uuid.Parse(orgID)`
`282`	`282`	`require.NoError(t, err, fmt.Sprintf("parse org id %q", orgID))`
`283`	`283`	`_, err = client.UpdateOrganizationMemberRoles(context.Background(), organizationID, user.ID.String(),`
`284`		`- codersdk.UpdateRoles{Roles: append(roles, rbac.RoleOrgMember(organizationID))})`
	`284`	`+ codersdk.UpdateRoles{Roles: roles})`
`285`	`285`	`require.NoError(t, err, "update org membership roles")`
`286`	`286`	`}`
`287`	`287`	`}`
Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ func (q *fakeQuerier) GetUsersByIDs(_ context.Context, ids []uuid.UUID) ([]datab`
`276`	`276`	`return users, nil`
`277`	`277`	`}`
`278`	`278`
`279`		`-func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (database.GetAllUserRolesRow, error) {`
	`279`	`+func (q *fakeQuerier) GetAuthorizationUserRoles(_ context.Context, userID uuid.UUID) (database.GetAuthorizationUserRolesRow, error) {`
`280`	`280`	`q.mutex.RLock()`
`281`	`281`	`defer q.mutex.RUnlock()`
`282`	`282`
`@@ -286,6 +286,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`286`	`286`	`if u.ID == userID {`
`287`	`287`	`u := u`
`288`	`288`	`roles = append(roles, u.RBACRoles...)`
	`289`	`+ roles = append(roles, "member")`
`289`	`290`	`user = &u`
`290`	`291`	`break`
`291`	`292`	`}`
`@@ -294,14 +295,15 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`294`	`295`	`for _, mem := range q.organizationMembers {`
`295`	`296`	`if mem.UserID == userID {`
`296`	`297`	`roles = append(roles, mem.Roles...)`
	`298`	`+ roles = append(roles, "organization-member:"+mem.OrganizationID.String())`
`297`	`299`	`}`
`298`	`300`	`}`
`299`	`301`
`300`	`302`	`if user == nil {`
`301`		`- return database.GetAllUserRolesRow{}, sql.ErrNoRows`
	`303`	`+ return database.GetAuthorizationUserRolesRow{}, sql.ErrNoRows`
`302`	`304`	`}`
`303`	`305`
`304`		`- return database.GetAllUserRolesRow{`
	`306`	`+ return database.GetAuthorizationUserRolesRow{`
`305`	`307`	`ID: userID,`
`306`	`308`	`Username: user.Username,`
`307`	`309`	`Status: user.Status,`