From a14a264ebe6d75422862c959ab4002ccbd89183f Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Tue, 31 May 2022 15:12:50 -0500
Subject: [PATCH 1/3] feat: Prevent role changing on yourself.

Only allow changing roles on other users. Not much value in self changing
at the moment
---
 coderd/members.go | 8 ++++++++
 coderd/users.go   | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/coderd/members.go b/coderd/members.go
index 78f44294ae87f..68767658079f4 100644
--- a/coderd/members.go
+++ b/coderd/members.go
@@ -20,6 +20,14 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 	organization := httpmw.OrganizationParam(r)
 	member := httpmw.OrganizationMemberParam(r)
+	apiKey := httpmw.APIKey(r)
+
+	if apiKey.UserID == member.UserID {
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: "You cannot change your own organization roles.",
+		})
+		return
+	}
 
 	var params codersdk.UpdateRoles
 	if !httpapi.Read(rw, r, &params) {
diff --git a/coderd/users.go b/coderd/users.go
index b8c91f5778d7e..7769a67d53fdc 100644
--- a/coderd/users.go
+++ b/coderd/users.go
@@ -474,6 +474,14 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 	// User is the user to modify.
 	user := httpmw.UserParam(r)
 	roles := httpmw.UserRoles(r)
+	apiKey := httpmw.APIKey(r)
+
+	if apiKey.UserID == user.ID {
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: "You cannot change your own roles.",
+		})
+		return
+	}
 
 	var params codersdk.UpdateRoles
 	if !httpapi.Read(rw, r, &params) {

From 1112867a5e47877edebeb02a3c412b99507b8ca2 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Tue, 31 May 2022 15:22:59 -0500
Subject: [PATCH 2/3] test: Fix test

---
 coderd/users_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/coderd/users_test.go b/coderd/users_test.go
index 6d48f4f2320d8..b7e63dc35e713 100644
--- a/coderd/users_test.go
+++ b/coderd/users_test.go
@@ -409,11 +409,11 @@ func TestGrantRoles(t *testing.T) {
 	t.Run("UpdateIncorrectRoles", func(t *testing.T) {
 		t.Parallel()
 		ctx := context.Background()
+		var err error
+
 		admin := coderdtest.New(t, nil)
 		first := coderdtest.CreateFirstUser(t, admin)
 		member := coderdtest.CreateAnotherUser(t, admin, first.OrganizationID)
-		memberUser, err := member.User(ctx, codersdk.Me)
-		require.NoError(t, err, "member user")
 
 		_, err = admin.UpdateUserRoles(ctx, codersdk.Me, codersdk.UpdateRoles{
 			Roles: []string{rbac.RoleOrgMember(first.OrganizationID)},
@@ -445,7 +445,7 @@ func TestGrantRoles(t *testing.T) {
 		require.Error(t, err, "member cannot change other's roles")
 		requireStatusCode(t, err, http.StatusForbidden)
 
-		_, err = member.UpdateUserRoles(ctx, memberUser.ID.String(), codersdk.UpdateRoles{
+		_, err = member.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{
 			Roles: []string{rbac.RoleMember()},
 		})
 		require.Error(t, err, "member cannot change any roles")

From 66802becdf20d36a1d95f7700d8d1108cded33ba Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Tue, 31 May 2022 15:25:55 -0500
Subject: [PATCH 3/3] Fix GrantAdmin test

---
 coderd/users_test.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/coderd/users_test.go b/coderd/users_test.go
index b7e63dc35e713..66ddb7ce6b771 100644
--- a/coderd/users_test.go
+++ b/coderd/users_test.go
@@ -456,6 +456,18 @@ func TestGrantRoles(t *testing.T) {
 		})
 		require.Error(t, err, "member cannot change other's org roles")
 		requireStatusCode(t, err, http.StatusForbidden)
+
+		_, err = admin.UpdateUserRoles(ctx, first.UserID.String(), codersdk.UpdateRoles{
+			Roles: []string{},
+		})
+		require.Error(t, err, "admin cannot change self roles")
+		requireStatusCode(t, err, http.StatusBadRequest)
+
+		_, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, first.UserID.String(), codersdk.UpdateRoles{
+			Roles: []string{},
+		})
+		require.Error(t, err, "admin cannot change self org roles")
+		requireStatusCode(t, err, http.StatusBadRequest)
 	})
 
 	t.Run("FirstUserRoles", func(t *testing.T) {
@@ -508,7 +520,7 @@ func TestGrantRoles(t *testing.T) {
 		require.NoError(t, err, "grant member admin role")
 
 		// Promote to org admin
-		_, err = member.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, codersdk.Me, codersdk.UpdateRoles{
+		_, err = admin.UpdateOrganizationMemberRoles(ctx, first.OrganizationID, memberUser.ID.String(), codersdk.UpdateRoles{
 			Roles: []string{
 				// Promote to org admin
 				rbac.RoleOrgMember(first.OrganizationID),