Objective

• Regular members on coder will not be able to list or read other members/users.
• To maintain good UX, context information of created_by will be kept on templates, workspace builds, etc. This will require the read permission on the primary resource being fetched. Included user info will be username and avatar_url.
• A new route will be added to list username + avatar of all users. This endpoint is only usable if a user has "admin" perms on a given template so they can adjust the permissions for said template.

Related:

• Limit member visibility for non-admins #4318
• A user who is only a member can see the Users tab, all users, and all groups #4550

Version: v0.12.5+165b6fb

I'll post again for visibility but it seems like an anti-pattern to show the Users UI to any user.

This view shows users' roles so a form of social engineering could occur.

Groups are shown as well, which does seem secure.

If the other issue is being worked, great, but empathizing again.

Lastly, if a large deployment, this is a waste of DB calls if someone bounced onto it.