feat!: drop reading other 'user' permission (#8650)

* feat: drop reading other 'user' permission

Members of the platform can no longer read or list other users.
Resources that have "created_by" or "initiated_by" still retain
user context, but only include username and avatar url.

Attempting to read a user found via those means will result in
a 404.

* Hide /users page for regular users
* make groups a privledged endpoint
* Permissions page for template perms
* Admin for a given template enables an endpoint for listing users/groups.

coderd/database/modelmethods.go

@@ -194,14 +194,15 @@ func (w Workspace) LockedRBAC() rbac.Object {
 func (m OrganizationMember) RBACObject() rbac.Object {
 	return rbac.ResourceOrganizationMember.
 		WithID(m.UserID).
-		InOrg(m.OrganizationID)
+		InOrg(m.OrganizationID).
+		WithOwner(m.UserID.String())
 }
 
 func (m GetOrganizationIDsByMemberIDsRow) RBACObject() rbac.Object {
 	// TODO: This feels incorrect as we are really returning a list of orgmembers.
 	// This return type should be refactored to return a list of orgmembers, not this
 	// special type.
-	return rbac.ResourceUser.WithID(m.UserID)
+	return rbac.ResourceUserObject(m.UserID)
 }
 
 func (o Organization) RBACObject() rbac.Object {
@@ -233,7 +234,7 @@ func (f File) RBACObject() rbac.Object {
 // If you are trying to get the RBAC object for the UserData, use
 // u.UserDataRBACObject() instead.
 func (u User) RBACObject() rbac.Object {
-	return rbac.ResourceUser.WithID(u.ID)
+	return rbac.ResourceUserObject(u.ID)
 }
 
 func (u User) UserDataRBACObject() rbac.Object {
@@ -241,7 +242,7 @@ func (u User) UserDataRBACObject() rbac.Object {
 }
 
 func (u GetUsersRow) RBACObject() rbac.Object {
-	return rbac.ResourceUser.WithID(u.ID)
+	return rbac.ResourceUserObject(u.ID)
 }
 
 func (u GitSSHKey) RBACObject() rbac.Object {