fix: address PR comments from r4victor

Author: haydnli-shopify

src/dstack/_internal/server/routers/projects.py

@@ -16,8 +16,9 @@
 )
 from dstack._internal.server.security.permissions import (
     Authenticated,
+    ProjectAdmin,
     ProjectManager,
-    ProjectManagerOrPublicJoin,
+    ProjectManagerOrPublicProject,
     ProjectManagerOrSelfLeave,
     ProjectMemberOrPublicAccess,
 )
@@ -105,7 +106,7 @@ async def set_project_members(
 async def add_project_members(
     body: AddProjectMemberRequest,
     session: AsyncSession = Depends(get_session),
-    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectManagerOrPublicJoin()),
+    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectManagerOrPublicProject()),
 ) -> Project:
     user, project = user_project
     await projects.add_project_members(
@@ -143,7 +144,7 @@ async def remove_project_members(
 async def update_project_visibility(
     body: UpdateProjectVisibilityRequest,
     session: AsyncSession = Depends(get_session),
-    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectManager()),
+    user_project: Tuple[UserModel, ProjectModel] = Depends(ProjectAdmin()),
 ) -> Project:
     user, project = user_project
     await projects.update_project_visibility(

src/dstack/_internal/server/schemas/projects.py

@@ -1,4 +1,4 @@
-from typing import Annotated, List, Optional
+from typing import Annotated, List
 
 from pydantic import Field
 
@@ -8,7 +8,7 @@
 
 class CreateProjectRequest(CoreModel):
     project_name: str
-    is_public: Optional[bool] = False
+    is_public: bool = False
 
 
 class UpdateProjectVisibilityRequest(CoreModel):
@@ -32,10 +32,8 @@ class SetProjectMembersRequest(CoreModel):
 
 
 class AddProjectMemberRequest(CoreModel):
-    # Always accept a list of members for cleaner API design
     members: List[MemberSetting]
 
 
 class RemoveProjectMemberRequest(CoreModel):
-    # Always accept a list of usernames for cleaner API design
     usernames: List[str]

src/dstack/_internal/server/security/permissions.py

@@ -58,7 +58,7 @@ async def __call__(
             raise error_invalid_token()
         project = await get_project_model_by_name(session=session, project_name=project_name)
         if project is None:
-            raise error_forbidden()
+            raise error_not_found()
         if user.global_role == GlobalRole.ADMIN:
             return user, project
         project_role = get_user_project_role(user=user, project=project)
@@ -143,17 +143,19 @@ async def __call__(
         if project.is_public:
             return user, project
 
-        # Neither member nor public project
         raise error_forbidden()
 
 
-class ProjectManagerOrPublicJoin:
+class ProjectManagerOrPublicProject:
     """
     Allows:
-    1. Project managers to add any members
-    2. Any authenticated user to join public projects themselves
+    1. Project managers to perform member management operations
+    2. Access to public projects for any authenticated user
     """
 
+    def __init__(self):
+        self.project_manager = ProjectManager()
+
     async def __call__(
         self,
         project_name: str,

src/tests/_internal/server/routers/test_projects.py

@@ -1801,33 +1801,6 @@ async def test_project_admin_can_update_visibility(
         assert response.status_code == 200
         assert response.json()["is_public"] == False
 
-    @pytest.mark.asyncio
-    @pytest.mark.parametrize("test_db", ["sqlite", "postgres"], indirect=True)
-    async def test_project_manager_can_update_visibility(
-        self, test_db, session: AsyncSession, client: AsyncClient
-    ):
-        # Setup project with admin and manager
-        admin_user = await create_user(session=session, name="admin", global_role=GlobalRole.USER)
-        manager_user = await create_user(
-            session=session, name="manager", global_role=GlobalRole.USER
-        )
-        project = await create_project(session=session, owner=admin_user, is_public=False)
-        await add_project_member(
-            session=session, project=project, user=admin_user, project_role=ProjectRole.ADMIN
-        )
-        await add_project_member(
-            session=session, project=project, user=manager_user, project_role=ProjectRole.MANAGER
-        )
-
-        # Manager should be able to update visibility
-        response = await client.post(
-            f"/api/projects/{project.name}/update_visibility",
-            headers=get_auth_headers(manager_user.token),
-            json={"is_public": True},
-        )
-        assert response.status_code == 200
-        assert response.json()["is_public"] == True
-
     @pytest.mark.asyncio
     @pytest.mark.parametrize("test_db", ["sqlite", "postgres"], indirect=True)
     async def test_regular_user_cannot_update_visibility(