DataBiosphere · Qi77Qi · May 13, 2024 · May 13, 2024 · May 13, 2024 · Qi77Qi
@@ -202,13 +202,22 @@
       ctx <- as.ask
 
       // throw 403 if user doesn't have project permission
-      hasProjectPermission <- cloudContext.traverse(cc =>
-        authProvider.isUserProjectReader(
-          cc,
-          userInfo
-        )
-      )
-      _ <- F.raiseWhen(!hasProjectPermission.getOrElse(true))(ForbiddenError(userInfo.userEmail, Some(ctx.traceId)))
+      _ <- cloudContext match {
+        case Some(cc) =>
+          for {
+            hasProjectPermission <- authProvider.isUserProjectReader(
+              cc,
+              userInfo
+            )
+            _ <- F.raiseWhen(!hasProjectPermission)(
+              ForbiddenError(userInfo.userEmail, Some(ctx.traceId))
+            )
+          } yield ()
+        case None =>
+          authProvider.checkUserEnabled(
+            userInfo
+          ) // when request doesn't have cloudContext defined, we check if user is enabled
+      }
 
       paramMap <- F.fromEither(processListParameters(params))
       creatorOnly <- F.fromEither(processCreatorOnlyParameter(userInfo.userEmail, params, ctx.traceId))
@@ -262,9 +271,6 @@
             )
             .toVector
       }
-      // We authenticate actions on resources. If there are no visible disks,
-      // we need to check if user should be able to see the empty list.
-      _ <- if (res.isEmpty) authProvider.checkUserEnabled(userInfo) else F.unit
     } yield res
 
   override def deleteDisk(userInfo: UserInfo, googleProject: GoogleProject, diskName: DiskName)(implicit

@@ -268,19 +268,24 @@
     for {
       ctx <- as.ask
 
-      // Authorize: user has an active account and has accepted terms of service
-      _ <- authProvider.checkUserEnabled(userInfo)
-
-      // throw 403 if user doesn't have project permission
-      hasProjectPermission <- cloudContext.traverse(cc =>
-        authProvider.isUserProjectReader(
-          cc,
-          userInfo
-        )
-      )
-      _ <- ctx.span.traverse(s => F.delay(s.addAnnotation("Done checking project permission with Sam")))
-
-      _ <- F.raiseWhen(!hasProjectPermission.getOrElse(true))(ForbiddenError(userInfo.userEmail, Some(ctx.traceId)))
+      _ <- cloudContext match {
+        case Some(cc) =>
+          // throw 403 if user doesn't have project permission
+          for {
+            hasProjectPermission <- authProvider.isUserProjectReader(
+              cc,
+              userInfo
+            )
+            _ <- ctx.span.traverse(s => F.delay(s.addAnnotation("Done checking project permission with Sam")))
+            _ <- F.raiseWhen(!hasProjectPermission)(
+              ForbiddenError(userInfo.userEmail, Some(ctx.traceId))
+            )
+          } yield ()
+        case None =>
+          authProvider.checkUserEnabled(
+            userInfo
+          ) // when request doesn't have cloudContext defined, we check if user is enabled
+      }
 
       (labelMap, includeDeleted, _) <- F.fromEither(processListParameters(params))
       excludeStatuses = if (includeDeleted) List.empty else List(RuntimeStatus.Deleted)

@@ -778,12 +778,11 @@ class RuntimeV2ServiceInterp[F[_]: Parallel](
 
 }
 
-final case class AuthorizedIds(
-  val ownerGoogleProjectIds: Set[ProjectSamResourceId],
-  val ownerWorkspaceIds: Set[WorkspaceResourceSamResourceId],
-  val readerGoogleProjectIds: Set[ProjectSamResourceId],
-  val readerRuntimeIds: Set[SamResourceId],
-  val readerWorkspaceIds: Set[WorkspaceResourceSamResourceId]
+final case class AuthorizedIds(ownerGoogleProjectIds: Set[ProjectSamResourceId],
+                               ownerWorkspaceIds: Set[WorkspaceResourceSamResourceId],
+                               readerGoogleProjectIds: Set[ProjectSamResourceId],
+                               readerRuntimeIds: Set[SamResourceId],
+                               readerWorkspaceIds: Set[WorkspaceResourceSamResourceId]
 )
 
 final case class WorkspaceNotFoundException(workspaceId: WorkspaceId, traceId: TraceId)