From c5c97527bcba4c1229d4abb6e236e150ac0dffca Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Wed, 14 Dec 2022 08:58:31 -0600
Subject: [PATCH 1/5] fix: No org admins until organizations are in the UI

Until organizations have management UI, we should not set any org
admins. This goes around the site wide perms transparently and
is confusing to users.
---
 coderd/organizations.go | 6 +++++-
 coderd/users.go         | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/coderd/organizations.go b/coderd/organizations.go
index 9068f523488ad..27da001482f2d 100644
--- a/coderd/organizations.go
+++ b/coderd/organizations.go
@@ -76,7 +76,11 @@ func (api *API) postOrganizations(rw http.ResponseWriter, r *http.Request) {
 			CreatedAt:      database.Now(),
 			UpdatedAt:      database.Now(),
 			Roles: []string{
-				rbac.RoleOrgAdmin(organization.ID),
+				// TODO: When organizations are allowed to be created, we should
+				// come back to determining the default role of the person who
+				// creates the org. Until that happens, all users in an organization
+				// should be just regular members.
+				rbac.RoleOrgMember(organization.ID),
 			},
 		})
 		if err != nil {
diff --git a/coderd/users.go b/coderd/users.go
index b3e42cba75c91..ea47cd66d4553 100644
--- a/coderd/users.go
+++ b/coderd/users.go
@@ -1071,7 +1071,11 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 				return xerrors.Errorf("create organization: %w", err)
 			}
 			req.OrganizationID = organization.ID
-			orgRoles = append(orgRoles, rbac.RoleOrgAdmin(req.OrganizationID))
+			// TODO: When organizations are allowed to be created, we should
+			// come back to determining the default role of the person who
+			// creates the org. Until that happens, all users in an organization
+			// should be just regular members.
+			orgRoles = append(orgRoles, rbac.RoleOrgMember(req.OrganizationID))
 
 			_, err = tx.InsertAllUsersGroup(ctx, organization.ID)
 			if err != nil {

From 702e9cee60585688449a16fc42c7cabf97fd17a8 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Wed, 14 Dec 2022 09:10:27 -0600
Subject: [PATCH 2/5] Add migration

---
 coderd/database/migrations/000086_no_org_admins.down.sql | 0
 coderd/database/migrations/000086_no_org_admins.up.sql   | 1 +
 2 files changed, 1 insertion(+)
 create mode 100644 coderd/database/migrations/000086_no_org_admins.down.sql
 create mode 100644 coderd/database/migrations/000086_no_org_admins.up.sql

diff --git a/coderd/database/migrations/000086_no_org_admins.down.sql b/coderd/database/migrations/000086_no_org_admins.down.sql
new file mode 100644
index 0000000000000..e69de29bb2d1d
diff --git a/coderd/database/migrations/000086_no_org_admins.up.sql b/coderd/database/migrations/000086_no_org_admins.up.sql
new file mode 100644
index 0000000000000..d04832ca35ee5
--- /dev/null
+++ b/coderd/database/migrations/000086_no_org_admins.up.sql
@@ -0,0 +1 @@
+UPDATE organization_members SET roles = ARRAY ['organization-member:'||organization_id];

From 7882580a018398315465194c499f13d4de2fd4ff Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Wed, 14 Dec 2022 15:39:30 +0000
Subject: [PATCH 3/5] Only affect admins

---
 coderd/database/migrations/000086_no_org_admins.up.sql | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/coderd/database/migrations/000086_no_org_admins.up.sql b/coderd/database/migrations/000086_no_org_admins.up.sql
index d04832ca35ee5..6801a912511e4 100644
--- a/coderd/database/migrations/000086_no_org_admins.up.sql
+++ b/coderd/database/migrations/000086_no_org_admins.up.sql
@@ -1 +1,6 @@
-UPDATE organization_members SET roles = ARRAY ['organization-member:'||organization_id];
+UPDATE 
+  organization_members
+SET 
+  roles = ARRAY [] :: text[]
+WHERE 
+  'organization-admin:'||organization_id = ANY(roles);

From 44f860ad6ba2522c235a44add51a7954ea22f8d3 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Wed, 14 Dec 2022 15:43:26 +0000
Subject: [PATCH 4/5] Update initial roles test

---
 coderd/users_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/coderd/users_test.go b/coderd/users_test.go
index 9b78f6179ecaa..6b82d6940c9f6 100644
--- a/coderd/users_test.go
+++ b/coderd/users_test.go
@@ -921,7 +921,7 @@ func TestInitialRoles(t *testing.T) {
 	}, "should be a member and admin")
 
 	require.ElementsMatch(t, roles.OrganizationRoles[first.OrganizationID], []string{
-		rbac.RoleOrgAdmin(first.OrganizationID),
+		rbac.RoleOrgMember(first.OrganizationID),
 	}, "should be a member and admin")
 }
 

From d2ec7d7b457947a2d58a4b8b981b7de6f26ee2d0 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@coder.com>
Date: Wed, 14 Dec 2022 15:49:45 +0000
Subject: [PATCH 5/5] Remove test that is no longer valid

Default user is no longer an org admin, so the demotion test makes
no sense
---
 coderd/users_test.go | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/coderd/users_test.go b/coderd/users_test.go
index 6b82d6940c9f6..56b891b3301e0 100644
--- a/coderd/users_test.go
+++ b/coderd/users_test.go
@@ -817,15 +817,6 @@ func TestGrantSiteRoles(t *testing.T) {
 			Error:        true,
 			StatusCode:   http.StatusForbidden,
 		},
-		{
-			Name:         "MemberAssignMember",
-			Client:       member,
-			OrgID:        first.OrganizationID,
-			AssignToUser: first.UserID.String(),
-			Roles:        []string{},
-			Error:        true,
-			StatusCode:   http.StatusForbidden,
-		},
 		{
 			Name:         "AdminUpdateOrgSelf",
 			Client:       admin,