revert(security): remove workspace-env admin gate

Defer to a credential-based access model (separate change). Restores
GET /api/workspaces/[id]/environment to main behavior and removes the test.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/workspaces/[id]/environment/route.test.ts

@@ -23,11 +23,7 @@ import {
   getPersonalAndWorkspaceEnv,
   invalidateEffectiveDecryptedEnvCache,
 } from '@/lib/environment/utils'
-import {
-  getUserEntityPermissions,
-  getWorkspaceById,
-  hasWorkspaceAdminAccess,
-} from '@/lib/workspaces/permissions/utils'
+import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceEnvironmentAPI')
 
@@ -57,21 +53,15 @@ export const GET = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      const [isAdmin, { workspaceEncrypted, workspaceDecrypted, personalDecrypted, conflicts }] =
-        await Promise.all([
-          hasWorkspaceAdminAccess(userId, workspaceId),
-          getPersonalAndWorkspaceEnv(userId, workspaceId),
-        ])
-
-      // Only workspace admins may read plaintext secrets; others get variable names with empty values.
-      const workspace = isAdmin
-        ? workspaceDecrypted
-        : Object.fromEntries(Object.keys(workspaceEncrypted).map((key) => [key, '']))
+      const { workspaceDecrypted, personalDecrypted, conflicts } = await getPersonalAndWorkspaceEnv(
+        userId,
+        workspaceId
+      )
 
       return NextResponse.json(
         {
           data: {
-            workspace,
+            workspace: workspaceDecrypted,
             personal: personalDecrypted,
             conflicts,
           },