fix: stop leaking User into API handlers unless authorized

Fixes an issue where we extracted the `{user}` parameter from the URL and added it to the API Handler context regardless of whether the caller had permission to read the User.

coderd/httpmw/organizationparam.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/codersdk"
 )
@@ -25,8 +26,8 @@ func OrganizationParam(r *http.Request) database.Organization {
 
 // OrganizationMemberParam returns the organization membership that allowed the query
 // from the ExtractOrganizationParam handler.
-func OrganizationMemberParam(r *http.Request) database.OrganizationMember {
-	organizationMember, ok := r.Context().Value(organizationMemberParamContextKey{}).(database.OrganizationMember)
+func OrganizationMemberParam(r *http.Request) OrganizationMember {
+	organizationMember, ok := r.Context().Value(organizationMemberParamContextKey{}).(OrganizationMember)
 	if !ok {
 		panic("developer error: organization member param middleware not provided")
 	}
@@ -62,14 +63,31 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 	}
 }
 
+// OrganizationMember is the database object plus the Username. Including the Username in this
+// middleware is preferable to a join at the SQL layer so that we can keep the autogenerated
+// database types as they are.
+type OrganizationMember struct {
+	database.OrganizationMember
+	Username string
+}
+
 // ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter.
 // This middleware requires the ExtractUser and ExtractOrganization middleware higher in the stack
 func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
+			// We need to resolve the `{user}` URL parameter so that we can get the userID and
+			// username.  We do this as SystemRestricted since the caller might have permission
+			// to access the OrganizationMember object, but *not* the User object.  So, it is
+			// very important that we do not add the User object to the request context or otherwise
+			// leak it to the API handler.
+			// nolint:gocritic
+			user, ok := extractUserContext(dbauthz.AsSystemRestricted(ctx), db, rw, r)
+			if !ok {
+				return
+			}
 			organization := OrganizationParam(r)
-			user := UserParam(r)
 
 			organizationMember, err := db.GetOrganizationMemberByUserID(ctx, database.GetOrganizationMemberByUserIDParams{
 				OrganizationID: organization.ID,
@@ -87,7 +105,17 @@ func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.H
 				return
 			}
 
-			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)
+			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, OrganizationMember{
+				OrganizationMember: organizationMember,
+				// Here we're making one exception to the rule about not leaking data about the user
+				// to the API handler, which is to include the username.  If the caller has permission
+				// to read the OrganizationMember, then we're explicitly saying here that they also
+				// have permission to see the member's username, which is itself uncontroversial.
+				//
+				// API handlers need this information for audit logging and returning the owner's
+				// username in response to creating a workspace.
+				Username: user.Username,
+			})
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}