GraphQL Workspace type should return projectID, not project
See related discussion here: #408623 (comment 1366531383)
MR: GraphQL Workspace type returns projectID, not p... (!118718 - merged)
Summary:
To avoid having to check read permissions to project for every workspace when a list of workspaces is queried from graphQL, just return the projectID and let the client look it up.
This handles the situation where a user may have lost access to the project after creation, either due to having auth permissions removed, or some other reason.
This does not mean they can't keep using the workspace, or that we should terminate the workspace.
But it does mean we should avoid the workspaces query returning any information about the project that could leak sensitive unauthorized information, even the project name.
Thus, we return the ID and let the client look up the workspaces' projects directly for any purpose it needs, such as displaying the name. And if a project is not found (e.g. because auth was revoked) the client can just display "MISSING" or something for the project name.
This approach is possible because the workspace -> project association is only needed upon workspace creation in order to read the devfile, and is not necessary to be used after that.
We could possibly do this auth for the associated project as part of the :read_workspace authorization, and we may still do so in the future. But that would introduce more backend complexity, and we currently are on an aggressive schedule to finish all security-related work this week in order to make the %16.0 release date for the initial Remote Development feature release.
See #408623 (comment 1366531383) for details.