enforce write only access to folder http endpoint

runhouse/servers/http/auth.py

@@ -75,6 +75,7 @@ def clear_cache(self, token: str = None):
 async def averify_cluster_access(
     cluster_uri: str,
     token: str,
+    write_only_access: bool = False,
 ) -> bool:
     """Checks whether the user has access to the cluster.
     Note: A user with write access to the cluster or a cluster owner will have access to all other resources on
@@ -94,4 +95,7 @@ async def averify_cluster_access(
 
     cluster_access_level = await obj_store.aresource_access_level(token, cluster_uri)
 
+    if write_only_access:
+        return cluster_access_level == ResourceAccess.WRITE
+
     return cluster_access_level in [ResourceAccess.WRITE, ResourceAccess.READ]

runhouse/servers/http/http_server.py

@@ -75,6 +75,7 @@ async def wrapper(*args, **kwargs):
         is_coro = inspect.iscoroutinefunction(func)
 
         func_call: bool = func.__name__ in ["post_call", "get_call"]
+        write_only_access: bool = func.__name__ in ["folder_operation"]
         token = get_token_from_request(request)
 
         request_id = request.headers.get("X-Request-ID", str(uuid.uuid4()))
@@ -90,7 +91,9 @@ async def wrapper(*args, **kwargs):
                         "provide a valid token in the Authorization header.",
                     )
                 cluster_uri = (await obj_store.aget_cluster_config()).get("name")
-                cluster_access = await averify_cluster_access(cluster_uri, token)
+                cluster_access = await averify_cluster_access(
+                    cluster_uri, token, write_only_access
+                )
                 if not cluster_access:
                     # Must have cluster access for all the non func calls
                     # Note: for func calls we handle the auth in the object store