feat: allow users with role Viewer and above to view resource quotas

[salonig23]

Ticket

DET-10430

Description

Allowed users with Viewer, Editor, Editor Restricted, Editor Project Restricted, Gen AI and Workspace Admin to be able to view resource quotas in the WebUI when RBAC is enabled. Cluster Admin can still modify and view resource quotas. Allowed all users to view quotas when RBAC is disabled. This involved allowing users who cannot modify the workspaces to also see the Edit Workspace Modal but they will be seeing a "Config" option instead of "Edit Workspace".

Test Plan

Set up minikube and create a namespace "test-ns" with a resource quota of 2.

• Login as Cluster Admin and create a workspace "w1" with no namespace binding, "w2" with auto-created namespace binding and some resource quota. and "w3" with "test-ns" as the namespace.
• Edit "w1" and change the binding to an auto-created namespace with some resource quota. Make sure it saves correctly.
• Edit "w2" and change the binding to "test-ns". Make sure that the updated resource quota shows up as 2.
• Edit "w3" and change the binding to an auto-created namespace with a resource quota of 2, and make sure that it saves correctly.
• login with Workspace Admin, and try to make changes to some of the workspaces and make sure that resource quota is not editable and there are no errors while saving the workspaces.
• log in as workspace creator and make sure that viewing resource quota is non visible.
• log in with the rest of the roles and make sure that resource quotas show up correctly and noneditable for:

1. Workspace with no binding
2. workspace with binding but no quota
3. workspace with autocreated binding and quota
4. workspace with other namespace binding and quota

Checklist

• Changes have been manually QA'd
• New features have been approved by the corresponding PM
• User-facing API changes have the "User-facing API Change" label
• Release notes have been added as a separate file under docs/release-notes/
  See Release Note for details.
• Licenses have been included for new code which was copied and/or modified from any external code

[codecov]

Codecov Report

Attention: Patch coverage is 13.48315% with 77 lines in your changes missing coverage. Please review.

Project coverage is 54.35%. Comparing base (91d0b67) to head (1981395).
Report is 11 commits behind head on main.

Files	Patch %	Lines
...ebui/react/src/components/WorkspaceCreateModal.tsx	0.00%	56 Missing ⚠️
master/internal/workspace/authz_rbac.go	0.00%	9 Missing ⚠️
master/internal/api_workspace.go	0.00%	5 Missing ⚠️
master/internal/workspace/authz_permissive.go	0.00%	3 Missing ⚠️
master/internal/workspace/authz_basic_impl.go	0.00%	2 Missing ⚠️
...rc/pages/WorkspaceList/WorkspaceActionDropdown.tsx	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9822      +/-   ##
==========================================
- Coverage   54.38%   54.35%   -0.03%     
==========================================
  Files        1261     1261              
  Lines      155770   155842      +72     
  Branches     3540     3542       +2     
==========================================
- Hits        84711    84710       -1     
- Misses      70921    70994      +73     
  Partials      138      138              

Flag	Coverage Δ
backend	45.20% <0.00%> (-0.04%)	⬇️
harness	72.61% <ø> (ø)
web	53.67% <17.14%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
webui/react/src/hooks/usePermissions.ts	77.17% <100.00%> (+0.35%)	⬆️
master/internal/workspace/authz_basic_impl.go	1.61% <0.00%> (-0.06%)	⬇️
...rc/pages/WorkspaceList/WorkspaceActionDropdown.tsx	0.00% <0.00%> (ø)
master/internal/workspace/authz_permissive.go	1.56% <0.00%> (-0.08%)	⬇️
master/internal/api_workspace.go	63.49% <0.00%> (-0.14%)	⬇️
master/internal/workspace/authz_rbac.go	0.35% <0.00%> (-0.02%)	⬇️
...ebui/react/src/components/WorkspaceCreateModal.tsx	0.00% <0.00%> (ø)

... and 6 files with indirect coverage changes

[netlify]

✅ Deploy Preview for determined-ui ready!

Name	Link
🔨 Latest commit	1981395
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/66be7f32c69af60008bfd4c1
😎 Deploy Preview	https://deploy-preview-9822--determined-ui.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[johnkim-det]

looks like the e2e testing issue is related to a bug in this PR when editing an existing workspace -- the toggles don't seem to work.

[amandavialva01]

Instead of removing the CanGetWorkspaceID check, should we maybe do
a.getWorkspaceAndCheckCanDoActions(ctx, req.Id, false, workspace.AuthZProvider.Get().CanGetWorkspace, workspace.AuthZProvider.Get().CanViewResourceQuotas) so that we perform both of these checks? Or do we not need the CanGetWorkspaceID check here?

[salonig23]

I don't think we can check 2 permissions at a time, so I added both checks in a different way

[amandavialva01]

This LGTM modulo one comment!
Can we maybe add some unit tests in postgres_rbac_intg_test.go just to make sure the permissions are properly added to these respective roles?

[johnkim-det]

web LGTM

[amandavialva01]

LGTM, awesome work!