feat: Add rbac to templateversion+orgmember endpoints (#1713)

coderd/httpmw/organizationparam.go

@@ -28,12 +28,12 @@ func OrganizationParam(r *http.Request) database.Organization {
 func OrganizationMemberParam(r *http.Request) database.OrganizationMember {
 	organizationMember, ok := r.Context().Value(organizationMemberParamContextKey{}).(database.OrganizationMember)
 	if !ok {
-		panic("developer error: organization param middleware not provided")
+		panic("developer error: organization member param middleware not provided")
 	}
 	return organizationMember
 }
 
-// ExtractOrganizationParam grabs an organization and user membership from the "organization" URL parameter.
+// ExtractOrganizationParam grabs an organization from the "organization" URL parameter.
 // This middleware requires the API key middleware higher in the call stack for authentication.
 func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
@@ -56,11 +56,23 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 				})
 				return
 			}
+			ctx := context.WithValue(r.Context(), organizationParamContextKey{}, organization)
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
+
+// ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter.
+// This middleware requires the ExtractUser and ExtractOrganization middleware higher in the stack
+func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			organization := OrganizationParam(r)
+			user := UserParam(r)
 
-			apiKey := APIKey(r)
 			organizationMember, err := db.GetOrganizationMemberByUserID(r.Context(), database.GetOrganizationMemberByUserIDParams{
 				OrganizationID: organization.ID,
-				UserID:         apiKey.UserID,
+				UserID:         user.ID,
 			})
 			if errors.Is(err, sql.ErrNoRows) {
 				httpapi.Write(rw, http.StatusForbidden, httpapi.Response{
@@ -74,9 +86,8 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 				})
 				return
 			}
+			ctx := context.WithValue(r.Context(), organizationMemberParamContextKey{}, organizationMember)
 
-			ctx := context.WithValue(r.Context(), organizationParamContextKey{}, organization)
-			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}

coderd/httpmw/organizationparam_test.go

@@ -122,7 +122,7 @@ func TestOrganizationParam(t *testing.T) {
 		var (
 			db   = databasefake.New()
 			rw   = httptest.NewRecorder()
-			r, _ = setupAuthentication(db)
+			r, u = setupAuthentication(db)
 			rtr  = chi.NewRouter()
 		)
 		organization, err := db.InsertOrganization(r.Context(), database.InsertOrganizationParams{
@@ -133,9 +133,12 @@ func TestOrganizationParam(t *testing.T) {
 		})
 		require.NoError(t, err)
 		chi.RouteContext(r.Context()).URLParams.Add("organization", organization.ID.String())
+		chi.RouteContext(r.Context()).URLParams.Add("user", u.ID.String())
 		rtr.Use(
 			httpmw.ExtractAPIKey(db, nil),
+			httpmw.ExtractUserParam(db),
 			httpmw.ExtractOrganizationParam(db),
+			httpmw.ExtractOrganizationMemberParam(db),
 		)
 		rtr.Get("/", nil)
 		rtr.ServeHTTP(rw, r)
@@ -167,9 +170,12 @@ func TestOrganizationParam(t *testing.T) {
 		})
 		require.NoError(t, err)
 		chi.RouteContext(r.Context()).URLParams.Add("organization", organization.ID.String())
+		chi.RouteContext(r.Context()).URLParams.Add("user", user.ID.String())
 		rtr.Use(
 			httpmw.ExtractAPIKey(db, nil),
 			httpmw.ExtractOrganizationParam(db),
+			httpmw.ExtractUserParam(db),
+			httpmw.ExtractOrganizationMemberParam(db),
 		)
 		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
 			_ = httpmw.OrganizationParam(r)