feat: remove user from groups on org membership delete (#14701)

* feat: remove user from groups on org membership delete

Groups inherently provide authz access to certain resources. If a
user is removed from an organization, they should be removed
from all their groups in said organization.

coderd/database/migrations/000252_group_member_trigger.down.sql

@@ -0,0 +1,2 @@
+DROP TRIGGER IF EXISTS trigger_delete_group_members_on_org_member_delete ON organization_members;
+DROP FUNCTION IF EXISTS delete_group_members_on_org_member_delete;

coderd/database/migrations/000252_group_member_trigger.up.sql

@@ -0,0 +1,23 @@
+CREATE FUNCTION delete_group_members_on_org_member_delete() RETURNS TRIGGER
+	LANGUAGE plpgsql
+AS $$
+DECLARE
+BEGIN
+	-- Remove the user from all groups associated with the same
+	-- organization as the organization_member being deleted.
+	DELETE FROM group_members
+	WHERE
+		user_id = OLD.user_id
+		AND group_id IN (
+			SELECT id
+			FROM groups
+			WHERE organization_id = OLD.organization_id
+		);
+	RETURN OLD;
+END;
+$$;
+
+CREATE TRIGGER trigger_delete_group_members_on_org_member_delete
+	BEFORE DELETE ON organization_members
+	FOR EACH ROW
+EXECUTE PROCEDURE delete_group_members_on_org_member_delete();