Include user_settings.project_dir in list of allowed paths, on top of usergroup.viewer_paths

[ychiucco]

ref fractal-analytics-platform/fractal-server#1934
ref fractal-analytics-platform/fractal-server#1986

from fractal-analytics-platform/fractal-server#1934 (comment)

How does it match with the `user_group.viewer_paths`?
These are per user group. Do we add the `user.project_dir` to the things a user has access to?
Some potential complexities in whether users would have access to all their `zarr_dir`s

[jluethi]

Let's be careful here that we add the admin-set user.project_dir, not all dataset.zarr_dir. Because a user could set those to anything and thus gain access to data they shouldn't if we use them in access management

[tcompa]

Let's be careful here that we add the admin-set user.project_dir, not all dataset.zarr_dir. Because a user could set those to anything and thus gain access to data they shouldn't if we use them in access management

Agreed.
It a low risk, because fractal-vizarr-viewer should never make any call to /api/ endpoints (like the ones that would list the dataset attributes), but only to /auth (i.e. the ones with info about users, usergroups, settings, ..).