[iris] Drop vestigial verified_user predicate on max_band cap

rjpower · claude · rjpower · commit f12863f48ef8 · 2026-04-23T17:16:57.000Z
The max_band cap was gated on (auth.provider AND verified_user is not
None), but the lookup already keys on job_id.user — verified_user was
never consulted beyond the presence check. Drop the predicate so the
cap fires whenever auth is configured, regardless of whether the
request context happens to carry a verified identity.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/lib/iris/src/iris/cluster/controller/service.py b/lib/iris/src/iris/cluster/controller/service.py
@@ -1064,7 +1064,7 @@ def launch_job(
             # here and skip the max_band cap below (the cap is meant to prevent
             # unlisted users from punching up, not to re-check admins).
             authorize(AuthzAction.MANAGE_BUDGETS)
-        elif self._auth.provider and verified_user is not None:
+        elif self._auth.provider:
             user_budget = self._db.get_user_budget(job_id.user)
             max_band = user_budget.max_band if user_budget is not None else self._user_budget_defaults.max_band
             if band < max_band:
