integer-underflow
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 3 additions & 2 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 3 additions & 2 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 2 additions & 2 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 14 additions & 6 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 14 additions & 6 deletions
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 3 additions & 3 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 6 additions & 6 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 6 additions & 6 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 4 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000210_custom_role_orgs.down.sql
Lines changed: 3 additions & 0 deletions b/‎coderd/database/migrations/000210_custom_role_orgs.down.sql
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000210_custom_role_orgs.up.sql
Lines changed: 5 additions & 0 deletions b/‎coderd/database/migrations/000210_custom_role_orgs.up.sql
Lines changed: 5 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/models.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 1 deletion b/‎coderd/database/querier.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 61 additions & 2 deletions b/‎coderd/database/queries.sql.go
Lines changed: 61 additions & 2 deletions
diff --git a/‎coderd/database/queries/roles.sql
Lines changed: 11 additions & 2 deletions b/‎coderd/database/queries/roles.sql
Lines changed: 11 additions & 2 deletions
diff --git a/‎coderd/httpapi/name.go
Lines changed: 1 addition & 1 deletion b/‎coderd/httpapi/name.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/rbac/rolestore/rolestore.go
Lines changed: 3 additions & 1 deletion b/‎coderd/rbac/rolestore/rolestore.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/roles.go
Lines changed: 20 additions & 4 deletions b/‎coderd/roles.go
Lines changed: 20 additions & 4 deletions
diff --git a/‎coderd/roles_test.go
Lines changed: 4 additions & 6 deletions b/‎coderd/roles_test.go
Lines changed: 4 additions & 6 deletions
diff --git a/‎codersdk/roles.go
Lines changed: 1 addition & 1 deletion b/‎codersdk/roles.go
Lines changed: 1 addition & 1 deletion
@@ -835,11 +835,12 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {
 	return q.db.CleanTailnetTunnels(ctx)
 }
 
-func (q *querier) CustomRolesByName(ctx context.Context, lookupRoles []string) ([]database.CustomRole, error) {
+// TODO: Handle org scoped lookups
+func (q *querier) CustomRoles(ctx context.Context, arg database.CustomRolesParams) ([]database.CustomRole, error) {
 	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceAssignRole); err != nil {
 		return nil, err
 	}
-	return q.db.CustomRolesByName(ctx, lookupRoles)
+	return q.db.CustomRoles(ctx, arg)
 }
 
 func (q *querier) DeleteAPIKeyByID(ctx context.Context, id string) error {
 
@@ -1167,8 +1167,8 @@ func (s *MethodTestSuite) TestUser() {
 		b := dbgen.User(s.T(), db, database.User{})
 		check.Args().Asserts(rbac.ResourceSystem, policy.ActionRead).Returns(slice.New(a.ID, b.ID))
 	}))
-	s.Run("CustomRolesByName", s.Subtest(func(db database.Store, check *expects) {
-		check.Args([]string{}).Asserts(rbac.ResourceAssignRole, policy.ActionRead).Returns([]database.CustomRole{})
+	s.Run("CustomRoles", s.Subtest(func(db database.Store, check *expects) {
+		check.Args(database.CustomRolesParams{}).Asserts(rbac.ResourceAssignRole, policy.ActionRead).Returns([]database.CustomRole{})
 	}))
 	s.Run("Blank/UpsertCustomRole", s.Subtest(func(db database.Store, check *expects) {
 		// Blank is no perms in the role
 
@@ -1174,18 +1174,26 @@ func (*FakeQuerier) CleanTailnetTunnels(context.Context) error {
 	return ErrUnimplemented
 }
 
-func (q *FakeQuerier) CustomRolesByName(_ context.Context, lookupRoles []string) ([]database.CustomRole, error) {
+func (q *FakeQuerier) CustomRoles(_ context.Context, arg database.CustomRolesParams) ([]database.CustomRole, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
 	found := make([]database.CustomRole, 0)
 	for _, role := range q.data.customRoles {
-		if slices.ContainsFunc(lookupRoles, func(s string) bool {
-			return strings.EqualFold(s, role.Name)
-		}) {
-			role := role
-			found = append(found, role)
+		if len(arg.LookupRoles) > 0 {
+			if !slices.ContainsFunc(arg.LookupRoles, func(s string) bool {
+				return strings.EqualFold(s, role.Name)
+			}) {
+				continue
+			}
 		}
+
+		if arg.ExcludeOrgRoles && role.OrganizationID.Valid {
+			continue
+		}
+
+		role := role
+		found = append(found, role)
 	}
 
 	return found, nil
 
@@ -0,0 +1,3 @@
+ALTER TABLE custom_roles
+	-- This column is nullable, meaning no organization scope
+	DROP COLUMN organization_id;
@@ -0,0 +1,5 @@
+ALTER TABLE custom_roles
+	-- This column is nullable, meaning no organization scope
+	ADD COLUMN organization_id uuid;
+
+COMMENT ON COLUMN custom_roles.organization_id IS 'Roles can optionally be scoped to an organization'
@@ -1,14 +1,23 @@
--- name: CustomRolesByName :many
+-- name: CustomRoles :many
 SELECT
 	*
 FROM
 	custom_roles
 WHERE
+  true
+  -- Lookup roles filter
+  AND CASE WHEN array_length(@lookup_roles :: text[], 1) > 0  THEN
 	-- Case insensitive
 	name ILIKE ANY(@lookup_roles :: text [])
+    ELSE true
+  END
+  -- Org scoping filter, to only fetch site wide roles
+  AND CASE WHEN @exclude_org_roles :: boolean  THEN
+	organization_id IS null
+	ELSE true
+  END
 ;
 
-
 -- name: UpsertCustomRole :one
 INSERT INTO
 	custom_roles (
 
@@ -38,7 +38,7 @@ func UsernameFrom(str string) string {
 }
 
 // NameValid returns whether the input string is a valid name.
-// It is a generic validator for any name (user, workspace, template, etc.).
+// It is a generic validator for any name (user, workspace, template, role name, etc.).
 func NameValid(str string) error {
 	if len(str) > 32 {
 		return xerrors.New("must be <= 32 characters")
 
@@ -72,7 +72,9 @@ func Expand(ctx context.Context, db database.Store, names []string) (rbac.Roles,
 		// If some roles are missing from the database, they are omitted from
 		// the expansion. These roles are no-ops. Should we raise some kind of
 		// warning when this happens?
-		dbroles, err := db.CustomRolesByName(ctx, lookup)
+		dbroles, err := db.CustomRoles(ctx, database.CustomRolesParams{
+			LookupRoles: lookup,
+		})
 		if err != nil {
 			return nil, xerrors.Errorf("fetch custom roles: %w", err)
 		}
 
@@ -3,8 +3,11 @@ package coderd
 import (
 	"net/http"
 
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/coderd/rbac/rolestore"
 	"github.com/coder/coder/v2/codersdk"
 
 	"github.com/coder/coder/v2/coderd/httpapi"
@@ -29,6 +32,22 @@ func (api *API) AssignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	roles := rbac.SiteRoles()
+	customRoles, err := api.Database.CustomRoles(ctx, database.CustomRolesParams{
+		// Only site wide custom roles to be included
+		ExcludeOrgRoles: true,
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	for _, customRole := range customRoles {
+		rbacRole, err := rolestore.ConvertDBRole(customRole)
+		if err == nil {
+			roles = append(roles, rbacRole)
+		}
+	}
+
 	httpapi.Write(ctx, rw, http.StatusOK, assignableRoles(actorRoles.Roles, roles))
 }
 
@@ -66,10 +85,7 @@ func assignableRoles(actorRoles rbac.ExpandableRoles, roles []rbac.Role) []coder
 			continue
 		}
 		assignable = append(assignable, codersdk.AssignableRoles{
-			SlimRole: codersdk.SlimRole{
-				Name:        role.Name,
-				DisplayName: role.DisplayName,
-			},
+			Role:       db2sdk.Role(role),
 			Assignable: rbac.CanAssignRole(actorRoles, role.Name),
 		})
 	}
 
@@ -8,6 +8,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/testutil"
@@ -143,20 +144,17 @@ func TestListRoles(t *testing.T) {
 	}
 }
 
-func convertRole(roleName string) codersdk.SlimRole {
+func convertRole(roleName string) codersdk.Role {
 	role, _ := rbac.RoleByName(roleName)
-	return codersdk.SlimRole{
-		DisplayName: role.DisplayName,
-		Name:        role.Name,
-	}
+	return db2sdk.Role(role)
 }
 
 func convertRoles(assignableRoles map[string]bool) []codersdk.AssignableRoles {
 	converted := make([]codersdk.AssignableRoles, 0, len(assignableRoles))
 	for roleName, assignable := range assignableRoles {
 		role := convertRole(roleName)
 		converted = append(converted, codersdk.AssignableRoles{
-			SlimRole:   role,
+			Role:       role,
 			Assignable: assignable,
 		})
 	}
 
@@ -19,7 +19,7 @@ type SlimRole struct {
 }
 
 type AssignableRoles struct {
-	SlimRole
+	Role
 	Assignable bool `json:"assignable"`
 }
Original file line number	Diff line number	Diff line change
`@@ -835,11 +835,12 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {`
`835`	`835`	`return q.db.CleanTailnetTunnels(ctx)`
`836`	`836`	`}`
`837`	`837`
`838`		`-func (q *querier) CustomRolesByName(ctx context.Context, lookupRoles []string) ([]database.CustomRole, error) {`
	`838`	`+// TODO: Handle org scoped lookups`
	`839`	`+func (q *querier) CustomRoles(ctx context.Context, arg database.CustomRolesParams) ([]database.CustomRole, error) {`
`839`	`840`	`if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceAssignRole); err != nil {`
`840`	`841`	`return nil, err`
`841`	`842`	`}`
`842`		`- return q.db.CustomRolesByName(ctx, lookupRoles)`
	`843`	`+ return q.db.CustomRoles(ctx, arg)`
`843`	`844`	`}`
`844`	`845`
`845`	`846`	`func (q *querier) DeleteAPIKeyByID(ctx context.Context, id string) error {`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ALTER TABLE custom_roles`
	`2`	`+ -- This column is nullable, meaning no organization scope`
	`3`	`+ DROP COLUMN organization_id;`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func UsernameFrom(str string) string {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`// NameValid returns whether the input string is a valid name.`
`41`		`-// It is a generic validator for any name (user, workspace, template, etc.).`
	`41`	`+// It is a generic validator for any name (user, workspace, template, role name, etc.).`
`42`	`42`	`func NameValid(str string) error {`
`43`	`43`	`if len(str) > 32 {`
`44`	`44`	`return xerrors.New("must be <= 32 characters")`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ type SlimRole struct {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`type AssignableRoles struct {`
`22`		`- SlimRole`
	`22`	`+ Role`
`23`	`23`	Assignable bool `json:"assignable"`
`24`	`24`	`}`
`25`	`25`