[server] Allow org env vars in repos that don't have projects (#20774)

Enables the use case of collaborators allowing to use projects with a private default workspace image configured on the org-level. This is enabled by the optional `enableDockerdAuthentication` that was implemented in #20586 - shortly _after_ org-level-env vars was implemented in #20538.

Author: geropl

components/server/src/user/env-var-service.ts

@@ -317,6 +317,8 @@ export class EnvVarService {
         }
         if (projectId) {
             await this.auth.checkPermissionOnProject(requestorId, "read_env_var", projectId);
+        }
+        if (organizationId) {
             await this.auth.checkPermissionOnOrganization(requestorId, "read_env_var", organizationId);
         }
 
@@ -337,9 +339,7 @@ export class EnvVarService {
         }
 
         // 2. then org env vars (if applicable)
-        if (projectId) {
-            // !!! Important: Only apply the org env vars if the workspace is part of a project
-            // This is to prevent leaking org env vars to workspaces randomly started in an organization (safety feature)
+        if (organizationId) {
             const orgEnvVars =
                 (await ApplicationError.notFoundToUndefined(this.listOrgEnvVars(requestorId, organizationId))) || [];
             const withValues: OrgEnvVarWithValue[] = await this.orgDB.getOrgEnvironmentVariableValues(orgEnvVars);