coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 26 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 26 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 22 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 22 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 4 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 7 additions & 3 deletions b/‎coderd/database/queries.sql.go
Lines changed: 7 additions & 3 deletions
diff --git a/‎coderd/database/queries/roles.sql
Lines changed: 2 additions & 0 deletions b/‎coderd/database/queries/roles.sql
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/roles.go
Lines changed: 56 additions & 0 deletions b/‎coderd/roles.go
Lines changed: 56 additions & 0 deletions
diff --git a/‎codersdk/roles.go
Lines changed: 1 addition & 1 deletion b/‎codersdk/roles.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/api/members.md
Lines changed: 124 additions & 0 deletions b/‎docs/api/members.md
Lines changed: 124 additions & 0 deletions
@@ -827,6 +827,8 @@ func New(options *Options) *API {
 				})
 				r.Route("/members", func(r chi.Router) {
 					r.Get("/roles", api.assignableOrgRoles)
+					r.With(httpmw.RequireExperiment(api.Experiments, codersdk.ExperimentCustomRoles)).
+						Patch("/roles", api.patchOrgRoles)
 					r.Route("/{user}", func(r chi.Router) {
 						r.Use(
 							httpmw.ExtractOrganizationMemberParam(options.Database),
@@ -1247,6 +1249,8 @@ type API struct {
 	// passed to dbauthz.
 	AccessControlStore *atomic.Pointer[dbauthz.AccessControlStore]
 	PortSharer         atomic.Pointer[portsharing.PortSharer]
+	// CustomRoleHandler is the AGPL/Enterprise implementation for custom roles.
+	CustomRoleHandler atomic.Pointer[CustomRoleHandler]
 
 	HTTPAuth *HTTPAuthorizer
 
 
@@ -23,6 +23,7 @@ INSERT INTO
 	custom_roles (
 	    name,
 	    display_name,
+	    organization_id,
 	    site_permissions,
 	    org_permissions,
 	    user_permissions,
@@ -33,6 +34,7 @@ VALUES (
         -- Always force lowercase names
         lower(@name),
         @display_name,
+        @organization_id,
         @site_permissions,
         @org_permissions,
         @user_permissions,
 
@@ -1,8 +1,11 @@
 package coderd
 
 import (
+	"context"
 	"net/http"
 
+	"github.com/google/uuid"
+
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/httpmw"
@@ -14,6 +17,59 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac"
 )
 
+// CustomRoleHandler handles AGPL/Enterprise interface for handling custom
+// roles. Ideally only included in the enterprise package, but the routes are
+// intermixed.
+type CustomRoleHandler interface {
+	PatchOrganizationRole(ctx context.Context, db database.Store, rw http.ResponseWriter, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool)
+}
+
+type agplCustomRoleHandler struct{}
+
+func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context, db database.Store, rw http.ResponseWriter, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool) {
+	httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
+		Message: "Creating and updating custom roles is an Enterprise feature. Contact sales!",
+	})
+	return codersdk.Role{}, false
+}
+
+// patchRole will allow creating a custom organization role
+//
+// @Summary Upsert a custom organization role
+// @ID upsert-a-custom-organization-role
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Members
+// @Success 200 {array} codersdk.Role
+// @Router /organizations/{organization}/members/roles [patch]
+func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx          = r.Context()
+		handler      = *api.CustomRoleHandler.Load()
+		organization = httpmw.OrganizationParam(r)
+	)
+
+	var req codersdk.Role
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	if err := httpapi.NameValid(req.Name); err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Invalid role name",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	updated, ok := handler.PatchOrganizationRole(ctx, api.Database, rw, organization.ID, req)
+	if !ok {
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, updated)
+}
+
 // AssignableSiteRoles returns all site wide roles that can be assigned.
 //
 // @Summary Get site member roles
 
@@ -35,7 +35,7 @@ type Permission struct {
 
 // Role is a longer form of SlimRole used to edit custom roles.
 type Role struct {
-	Name            string       `json:"name" table:"name,default_sort"`
+	Name            string       `json:"name" table:"name,default_sort" validate:"username"`
 	DisplayName     string       `json:"display_name" table:"display_name"`
 	SitePermissions []Permission `json:"site_permissions" table:"site_permissions"`
 	// map[<org_id>] -> Permissions