Ban usage of Current.organization outside of request layer

Summary

Currently the plan in #437541 (closed) is to set the Current.organization in rack middleware.

Current.organization is kind-of magical in a sense that it can be referenced throughout the application and not just at the request layer. This can easily become more magical than intended and start to be referenced in the model/service and other layers, which will lead to a lot of ambiguity around Current.organization and expectations of it being set. Since we are only setting this, for now, in the rack middleware, we should try and guard its use to the layers that it will be known to be set from that.

Some of the Global state issues described well in this article we want to contain, but still use CurrentAttributes...for now.

This includes:

• Controller layer
• View layer(including helpers)
• API layer
• Graphql layer

This should promote the use of Current.organization to be more similar to the availability of the session.

If needed at the model/service/background jobs(workers) or other layers, we should pass it in like this:

class SomeController < ApplicationController
  def create
    response = SomeService.new(organization: Current.organization).execute
  end
end

Caveat: this maybe not a longterm solution, but for now it seems prudent to put guardrails around this use early.

Plan

• Create a simple rubocop linter to ban the use of Current.organization outside of the approved areas as described above. !145586 (merged)
• Lock setting of organization to be only done once, see #442751 (comment 1785926358) !145714 (merged)
• Figure out ways to alert dev earlier in dev process that use of Current.organization and the setter is banned - see #442751 (comment 1787087785). !145714 (merged)
  • there may not be a way to do this easily right now, so this is a nice to have. See thread for final decision: !145714 (comment 1789717285)