ahmetb
commented
4 years ago I'm not at all what policies can prevent this. Org policies, or IAM, or else? Also not sure what % of users are currently impacted. Any hint on that might help decide if we should implement the check, as the implementation might be rather complicated depending on what policies are involved.
I'm also suspecting we can't reliably test actions we take through a permission engine like IAM. No way to evaluate even simple IAM policies until you actually take the action.
Factor in many stuff that we do (querying projects, querying billing account, querying APIs, enabling APIs, uploading images, setting IAM bindings on Cloud Run for public access), I'm not at all sure how would go around implementing it reliably. Maybe some common failures can be checked as best effort.
jamesward
Validate that the user has the necessary privileges on a given project. If not, allow them to select a different project.