CODING-CS
diff --git a/‎coderd/coderd.go
+2-13 b/‎coderd/coderd.go
+2-13
diff --git a/‎coderd/database/databasefake/databasefake.go
+6-3 b/‎coderd/database/databasefake/databasefake.go
+6-3
diff --git a/‎coderd/database/queries.sql.go
+25-15 b/‎coderd/database/queries.sql.go
+25-15
diff --git a/‎coderd/database/queries/users.sql
+9-5 b/‎coderd/database/queries/users.sql
+9-5
diff --git a/‎coderd/httpmw/apikey.go
+21-1 b/‎coderd/httpmw/apikey.go
+21-1
@@ -82,8 +82,6 @@ func New(options *Options) *API {
 	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, &httpmw.OAuth2Configs{
 		Github: options.GithubOAuth2Config,
 	})
-	// TODO: @emyrk we should just move this into 'ExtractAPIKey'.
-	authRolesMiddleware := httpmw.ExtractUserRoles(options.Database)
 
 	r.Use(
 		func(next http.Handler) http.Handler {
@@ -125,7 +123,6 @@ func New(options *Options) *API {
 		r.Route("/files", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				// This number is arbitrary, but reading/writing
 				// file content is expensive so it should be small.
 				httpmw.RateLimitPerMinute(12),
@@ -136,14 +133,12 @@ func New(options *Options) *API {
 		r.Route("/provisionerdaemons", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 			)
 			r.Get("/", api.provisionerDaemons)
 		})
 		r.Route("/organizations", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 			)
 			r.Post("/", api.postOrganizations)
 			r.Route("/{organization}", func(r chi.Router) {
@@ -179,7 +174,7 @@ func New(options *Options) *API {
 			})
 		})
 		r.Route("/parameters/{scope}/{id}", func(r chi.Router) {
-			r.Use(apiKeyMiddleware, authRolesMiddleware)
+			r.Use(apiKeyMiddleware)
 			r.Post("/", api.postParameter)
 			r.Get("/", api.parameters)
 			r.Route("/{name}", func(r chi.Router) {
@@ -189,7 +184,6 @@ func New(options *Options) *API {
 		r.Route("/templates/{template}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractTemplateParam(options.Database),
 			)
 
@@ -204,7 +198,6 @@ func New(options *Options) *API {
 		r.Route("/templateversions/{templateversion}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractTemplateVersionParam(options.Database),
 			)
 
@@ -229,7 +222,6 @@ func New(options *Options) *API {
 			r.Group(func(r chi.Router) {
 				r.Use(
 					apiKeyMiddleware,
-					authRolesMiddleware,
 				)
 				r.Post("/", api.postUser)
 				r.Get("/", api.users)
@@ -244,7 +236,7 @@ func New(options *Options) *API {
 					r.Put("/profile", api.putUserProfile)
 					r.Route("/status", func(r chi.Router) {
 						r.Put("/suspend", api.putUserStatus(database.UserStatusSuspended))
-						r.Put("/active", api.putUserStatus(database.UserStatusActive))
+						r.Put("/activate", api.putUserStatus(database.UserStatusActive))
 					})
 					r.Route("/password", func(r chi.Router) {
 						r.Put("/", api.putUserPassword)
@@ -292,7 +284,6 @@ func New(options *Options) *API {
 		r.Route("/workspaceresources/{workspaceresource}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractWorkspaceResourceParam(options.Database),
 				httpmw.ExtractWorkspaceParam(options.Database),
 			)
@@ -301,7 +292,6 @@ func New(options *Options) *API {
 		r.Route("/workspaces", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 			)
 			r.Get("/", api.workspaces)
 			r.Route("/{workspace}", func(r chi.Router) {
@@ -327,7 +317,6 @@ func New(options *Options) *API {
 		r.Route("/workspacebuilds/{workspacebuild}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractWorkspaceBuildParam(options.Database),
 				httpmw.ExtractWorkspaceParam(options.Database),
 			)
 
@@ -231,11 +231,13 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 		users = tmp
 	}
 
-	if params.Status != "" {
+	if len(params.Status) > 0 {
 		usersFilteredByStatus := make([]database.User, 0, len(users))
 		for i, user := range users {
-			if params.Status == string(user.Status) {
-				usersFilteredByStatus = append(usersFilteredByStatus, users[i])
+			for _, status := range params.Status {
+				if user.Status == status {
+					usersFilteredByStatus = append(usersFilteredByStatus, users[i])
+				}
 			}
 		}
 		users = usersFilteredByStatus
@@ -302,6 +304,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data
 	return database.GetAllUserRolesRow{
 		ID:       userID,
 		Username: user.Username,
+		Status:   user.Status,
 		Roles:    roles,
 	}, nil
 }
 
@@ -101,17 +101,19 @@ WHERE
 		WHEN @search :: text != '' THEN (
 			email LIKE concat('%', @search, '%')
 			OR username LIKE concat('%', @search, '%')
-		)	
+		)
 		ELSE true
 	END
 	-- Filter by status
 	AND CASE
 		-- @status needs to be a text because it can be empty, If it was
 		-- user_status enum, it would not.
-		WHEN @status :: text != '' THEN (
-			status = @status :: user_status
+		WHEN cardinality(@status :: user_status[]) > 0 THEN (
+			status = ANY(@status :: user_status[])
 		)
-		ELSE true
+		ELSE
+		    -- Only show active by default
+		    status = 'active'
 	END
 	-- End of filters
 ORDER BY
@@ -135,7 +137,9 @@ WHERE
 -- name: GetAllUserRoles :one
 SELECT
     -- username is returned just to help for logging purposes
-	id, username, array_cat(users.rbac_roles, organization_members.roles) :: text[] AS roles
+    -- status is used to enforce 'suspended' users, as all roles are ignored
+    --	when suspended.
+	id, username, status, array_cat(users.rbac_roles, organization_members.roles) :: text[] AS roles
 FROM
 	users
 LEFT JOIN organization_members
 
@@ -175,7 +175,27 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h
 				}
 			}
 
-			ctx := context.WithValue(r.Context(), apiKeyContextKey{}, key)
+			// If the key is valid, we also fetch the user roles and status.
+			// The roles are used for RBAC authorize checks, and the status
+			// is to block 'suspended' users from accessing the platform.
+			roles, err := db.GetAllUserRoles(r.Context(), key.UserID)
+			if err != nil {
+				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+					Message: "roles not found",
+				})
+				return
+			}
+
+			if roles.Status != database.UserStatusActive {
+				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+					Message: fmt.Sprintf("user is not active (status = %q), contact an admin to reactivate your account", roles.Status),
+				})
+				return
+			}
+
+			ctx := r.Context()
+			ctx = context.WithValue(ctx, apiKeyContextKey{}, key)
+			ctx = context.WithValue(ctx, userRolesKey{}, roles)
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}
Original file line number	Diff line number	Diff line change
`@@ -231,11 +231,13 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams`
`231`	`231`	`users = tmp`
`232`	`232`	`}`
`233`	`233`
`234`		`- if params.Status != "" {`
	`234`	`+ if len(params.Status) > 0 {`
`235`	`235`	`usersFilteredByStatus := make([]database.User, 0, len(users))`
`236`	`236`	`for i, user := range users {`
`237`		`- if params.Status == string(user.Status) {`
`238`		`- usersFilteredByStatus = append(usersFilteredByStatus, users[i])`
	`237`	`+ for _, status := range params.Status {`
	`238`	`+ if user.Status == status {`
	`239`	`+ usersFilteredByStatus = append(usersFilteredByStatus, users[i])`
	`240`	`+ }`
`239`	`241`	`}`
`240`	`242`	`}`
`241`	`243`	`users = usersFilteredByStatus`
`@@ -302,6 +304,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`302`	`304`	`return database.GetAllUserRolesRow{`
`303`	`305`	`ID: userID,`
`304`	`306`	`Username: user.Username,`
	`307`	`+ Status: user.Status,`
`305`	`308`	`Roles: roles,`
`306`	`309`	`}, nil`
`307`	`310`	`}`