@@ -159,7 +159,7 @@ import {
159159} from "@gitpod/usage-api/lib/usage/v1/billing.pb" ;
160160import { ClientError } from "nice-grpc-common" ;
161161import { BillingModes } from "../billing/billing-mode" ;
162- import { Authorizer , SYSTEM_USER } from "../authorization/authorizer" ;
162+ import { Authorizer , SYSTEM_USER , isFgaChecksEnabled } from "../authorization/authorizer" ;
163163import { OrganizationService } from "../orgs/organization-service" ;
164164import { RedisSubscriber } from "../messaging/redis-subscriber" ;
165165import { UsageService } from "../orgs/usage-service" ;
@@ -845,18 +845,21 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
845845 const result = await this . workspaceService . getWorkspace ( user . id , workspaceId ) ;
846846 const { workspace, latestInstance } = result ;
847847
848- const teamMembers = await this . organizationService . listMembers ( user . id , workspace . organizationId ) ;
849- await this . guardAccess ( { kind : "workspace" , subject : workspace , teamMembers : teamMembers } , "get" ) ;
850- if ( ! ! latestInstance ) {
851- await this . guardAccess (
852- {
853- kind : "workspaceInstance" ,
854- subject : latestInstance ,
855- workspace,
856- teamMembers,
857- } ,
858- "get" ,
859- ) ;
848+ // We must not try to fetch the team members if the user is FGA enabled, ebcause this might be a shared workspace, where the user has access to the workspace but not to the org.
849+ if ( ! ( await isFgaChecksEnabled ( user . id ) ) ) {
850+ const teamMembers = await this . organizationService . listMembers ( user . id , workspace . organizationId ) ;
851+ await this . guardAccess ( { kind : "workspace" , subject : workspace , teamMembers : teamMembers } , "get" ) ;
852+ if ( ! ! latestInstance ) {
853+ await this . guardAccess (
854+ {
855+ kind : "workspaceInstance" ,
856+ subject : latestInstance ,
857+ workspace,
858+ teamMembers,
859+ } ,
860+ "get" ,
861+ ) ;
862+ }
860863 }
861864
862865 return {
0 commit comments