[fga] add more logging to track down sharing issue (#18756)

Author: svenefftinge

components/server/src/authorization/spicedb-authorizer.ts

@@ -56,24 +56,28 @@ export class SpiceDBAuthorizer {
         },
     ): Promise<boolean> {
         const featureEnabled = await isFgaChecksEnabled(experimentsFields.userId);
-        if (!featureEnabled) {
-            return true;
-        }
         const timer = spicedbClientLatency.startTimer();
         let error: Error | undefined;
         try {
             const response = await tryThree("[spicedb] Failed to perform authorization check.", () =>
                 this.client.checkPermission(req, this.callOptions),
             );
             const permitted = response.permissionship === v1.CheckPermissionResponse_Permissionship.HAS_PERMISSION;
+            if (!permitted && !featureEnabled) {
+                log.info("[spicedb] Permission denied.", {
+                    response: new TrustedValue(response),
+                    request: new TrustedValue(req),
+                });
+                return true;
+            }
 
             return permitted;
         } catch (err) {
             error = err;
             log.error("[spicedb] Failed to perform authorization check.", err, {
                 request: new TrustedValue(req),
             });
-            return false;
+            return !featureEnabled;
         } finally {
             observeSpicedbClientLatency("check", error, timer());
         }

components/server/src/workspace/workspace-service.ts

@@ -890,7 +890,7 @@ export class WorkspaceService {
             const client = await this.clientProvider.get(instance.region);
             await client.controlAdmission({}, req);
         }
-
+        log.info({ userId, workspaceId }, "Admission level changed", { level });
         await this.db.transaction(async (db) => {
             const shareable = level === "everyone";
             await db.updatePartial(workspaceId, { shareable });