coder
diff --git a/‎coderd/coderd.go
Lines changed: 8 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/database/databasefake/databasefake.go
Lines changed: 29 additions & 7 deletions b/‎coderd/database/databasefake/databasefake.go
Lines changed: 29 additions & 7 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 2 additions & 1 deletion b/‎coderd/database/querier.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 63 additions & 32 deletions b/‎coderd/database/queries.sql.go
Lines changed: 63 additions & 32 deletions
diff --git a/‎coderd/database/queries/organizationmembers.sql
Lines changed: 11 additions & 0 deletions b/‎coderd/database/queries/organizationmembers.sql
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/database/queries/users.sql
Lines changed: 3 additions & 3 deletions b/‎coderd/database/queries/users.sql
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/members.go
Lines changed: 92 additions & 0 deletions b/‎coderd/members.go
Lines changed: 92 additions & 0 deletions
@@ -120,6 +120,14 @@ func New(options *Options) (http.Handler, func()) {
 					r.Get("/", api.workspacesByOwner)
 				})
 			})
+			r.Route("/members", func(r chi.Router) {
+				r.Route("/{user}", func(r chi.Router) {
+					r.Use(
+						httpmw.ExtractUserParam(options.Database),
+					)
+					r.Put("/roles", api.putMemberRoles)
+				})
+			})
 		})
 		r.Route("/parameters/{scope}/{id}", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
 
@@ -747,6 +747,28 @@ func (q *fakeQuerier) GetOrganizationMembershipsByUserID(_ context.Context, user
 	return memberships, nil
 }
 
+func (q *fakeQuerier) UpdateMemberRoles(_ context.Context, arg database.UpdateMemberRolesParams) (database.OrganizationMember, error) {
+	for i, mem := range q.organizationMembers {
+		if mem.UserID == arg.UserID && mem.OrganizationID == arg.OrgID {
+			uniqueRoles := make([]string, 0, len(arg.GrantedRoles))
+			exist := make(map[string]struct{})
+			for _, r := range arg.GrantedRoles {
+				if _, ok := exist[r]; ok {
+					continue
+				}
+				exist[r] = struct{}{}
+				uniqueRoles = append(uniqueRoles, r)
+			}
+			sort.Strings(uniqueRoles)
+
+			mem.Roles = uniqueRoles
+			q.organizationMembers[i] = mem
+			return mem, nil
+		}
+	}
+	return database.OrganizationMember{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) GetProvisionerDaemons(_ context.Context) ([]database.ProvisionerDaemon, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1177,13 +1199,13 @@ func (q *fakeQuerier) InsertUser(_ context.Context, arg database.InsertUserParam
 		UpdatedAt:      arg.UpdatedAt,
 		Username:       arg.Username,
 		Status:         database.UserStatusActive,
-		RbacRoles:      arg.RbacRoles,
+		RBACRoles:      arg.RBACRoles,
 	}
 	q.users = append(q.users, user)
 	return user, nil
 }
 
-func (q *fakeQuerier) GrantUserRole(_ context.Context, arg database.GrantUserRoleParams) (database.User, error) {
+func (q *fakeQuerier) UpdateUserRoles(_ context.Context, arg database.UpdateUserRolesParams) (database.User, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -1192,20 +1214,20 @@ func (q *fakeQuerier) GrantUserRole(_ context.Context, arg database.GrantUserRol
 			continue
 		}
 
-		// Append the new roles
-		user.RbacRoles = append(user.RbacRoles, arg.GrantedRoles...)
+		// Set new roles
+		user.RBACRoles = arg.GrantedRoles
 		// Remove duplicates and sort
-		uniqueRoles := make([]string, 0, len(user.RbacRoles))
+		uniqueRoles := make([]string, 0, len(user.RBACRoles))
 		exist := make(map[string]struct{})
-		for _, r := range user.RbacRoles {
+		for _, r := range user.RBACRoles {
 			if _, ok := exist[r]; ok {
 				continue
 			}
 			exist[r] = struct{}{}
 			uniqueRoles = append(uniqueRoles, r)
 		}
 		sort.Strings(uniqueRoles)
-		user.RbacRoles = uniqueRoles
+		user.RBACRoles = uniqueRoles
 
 		q.users[index] = user
 		return user, nil
 
@@ -39,3 +39,14 @@ WHERE
     user_id = ANY(@ids :: uuid [ ])
 GROUP BY
     user_id;
+
+-- name: UpdateMemberRoles :one
+UPDATE
+	organization_members
+SET
+	-- Remove all duplicates from the roles.
+	roles = ARRAY(SELECT DISTINCT UNNEST(@granted_roles :: text[]))
+WHERE
+		user_id = @user_id
+		AND organization_id = @org_id
+RETURNING *;
@@ -49,12 +49,12 @@ SET
 WHERE
 	id = $1 RETURNING *;
 
--- name: GrantUserRole :one
+-- name: UpdateUserRoles :one
 UPDATE
     users
 SET
-	-- Append new roles and remove duplicates just to keep things clean.
-	rbac_roles = ARRAY(SELECT DISTINCT UNNEST(rbac_roles || @granted_roles :: text[]))
+	-- Remove all duplicates from the roles.
+	rbac_roles = ARRAY(SELECT DISTINCT UNNEST(@granted_roles :: text[]))
 WHERE
  	id = @id
 RETURNING *;
 
@@ -0,0 +1,92 @@
+package coderd
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/google/uuid"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/coderd/rbac"
+
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/codersdk"
+)
+
+func (api *api) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
+	// User is the user to modify
+	// TODO: Until rbac authorize is implemented, only be able to change your
+	//		own roles. This also means you can grant yourself whatever roles you want.
+	user := httpmw.UserParam(r)
+	apiKey := httpmw.APIKey(r)
+	organization := httpmw.OrganizationParam(r)
+	if apiKey.UserID != user.ID {
+		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+			Message: fmt.Sprintf("modifying other users is not supported at this time"),
+		})
+		return
+	}
+
+	var params codersdk.UpdateRoles
+	if !httpapi.Read(rw, r, &params) {
+		return
+	}
+
+	updatedUser, err := api.updateOrganizationMemberRoles(r.Context(), database.UpdateMemberRolesParams{
+		GrantedRoles: params.Roles,
+		UserID:       user.ID,
+		OrgID:        organization.ID,
+	})
+	if err != nil {
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(rw, http.StatusOK, convertOrganizationMember(updatedUser))
+}
+
+func (api *api) updateOrganizationMemberRoles(ctx context.Context, args database.UpdateMemberRolesParams) (database.OrganizationMember, error) {
+	// Enforce only site wide roles
+	for _, r := range args.GrantedRoles {
+		// Must be an org role for the org in the args
+		orgID, ok := rbac.IsOrgRole(r)
+		if !ok {
+			return database.OrganizationMember{}, xerrors.Errorf("must only update organization roles")
+		}
+
+		roleOrg, err := uuid.Parse(orgID)
+		if err != nil {
+			return database.OrganizationMember{}, xerrors.Errorf("role must have proper uuids for organization, %q does not", r)
+		}
+
+		if roleOrg != args.OrgID {
+			return database.OrganizationMember{}, xerrors.Errorf("must only pass roles for org %q", args.OrgID.String())
+		}
+
+		if _, err := rbac.RoleByName(r); err != nil {
+			return database.OrganizationMember{}, xerrors.Errorf("%q is not a supported role", r)
+		}
+	}
+
+	updatedUser, err := api.Database.UpdateMemberRoles(ctx, args)
+	if err != nil {
+		return database.OrganizationMember{}, xerrors.Errorf("update site roles: %w", err)
+	}
+	return updatedUser, nil
+}
+
+func convertOrganizationMember(mem database.OrganizationMember) codersdk.OrganizationMember {
+	return codersdk.OrganizationMember{
+		UserID:         mem.UserID,
+		OrganizationID: mem.OrganizationID,
+		CreatedAt:      mem.CreatedAt,
+		UpdatedAt:      mem.UpdatedAt,
+		Roles:          mem.Roles,
+	}
+}