Listing archived workflows API is inconsistent/sensitive to DB order

[jessesuen]

Checklist:

• I've included the version.
• I've included reproduction steps.
• I've included the workflow YAML.
• I've included the logs.

What happened:

See comment:
#1882 (comment)

If I request to list archived workflows with a small page size (lets say size 1), and the first workflow in the list, happens to be in a namespace which I have permissions to, then this call will return successfully.

On the other hand, if I make the same exact request, and the first workflow in the list is in a namespace which I do not have access to, then the API will return 403.

This means the API is inconsistent depending on how the order in which the database is returning values.

This could be simplified to:

• is the request asking to list workflows at the cluster scope? If yes, perform the equivalent of:
  kubectl auth can-i get wf --all-namespaces up front
• otherwise perform the equivalent of:
  kubectl auth can-i get wf --namespace NAMESPACE up front

Both cases we can return earlier and perform authentication up front, instead of inline.

What you expected to happen:

API should be consistent in behavior.

[alexec]

I've reviewed the code and added a test case that demonstrates this bug does not exist (anymore?), it maybe that the implementation has change since it was raised.

This will come in the PR for #2049.