satellite/console: prevent unauthorized project mutation

This change further restricts projects members from modifying project
details by restricting the project edit graphql mutation; making it
check if the user performing the operation is the owner of the project.

Change-Id: Iaf10d16269ddc29437d3d5629db06e20cea3004e

satellite/console/consoleweb/endpoints_test.go

@@ -870,7 +870,7 @@ func TestWrongUser(t *testing.T) {
 						}`}))
 			require.Contains(t, body, "not authorized")
 			// TODO: wrong error code
-			require.Equal(t, http.StatusInternalServerError, resp.StatusCode)
+			require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 		}
 
 		{ // get bucket usages

satellite/console/service.go

@@ -1813,12 +1813,11 @@ func (s *Service) UpdateProject(ctx context.Context, projectID uuid.UUID, update
 		return nil, Error.Wrap(err)
 	}
 
-	isMember, err := s.isProjectMember(ctx, user.ID, projectID)
+	_, project, err := s.isProjectOwner(ctx, user.ID, projectID)
 	if err != nil {
 		return nil, Error.Wrap(err)
 	}
 
-	project := isMember.project
 	if updatedProject.Name != project.Name {
 		passesNameCheck, err := s.checkProjectName(ctx, updatedProject, user.ID)
 		if err != nil || !passesNameCheck {

satellite/console/service_test.go

@@ -270,6 +270,19 @@ func TestService(t *testing.T) {
 				})
 				require.Error(t, err)
 				require.Nil(t, updatedProject)
+
+				user2, userCtx2 := getOwnerAndCtx(ctx, up2Proj)
+				_, err = service.AddProjectMembers(userCtx1, up1Proj.ID, []string{user2.Email})
+				require.NoError(t, err)
+				// Members should not be able to update project.
+				_, err = service.UpdateProject(userCtx2, up1Proj.ID, console.ProjectInfo{
+					Name: updatedName,
+				})
+				require.Error(t, err)
+				require.True(t, console.ErrUnauthorized.Has(err))
+				// remove user2.
+				err = service.DeleteProjectMembersAndInvitations(userCtx1, up1Proj.ID, []string{user2.Email})
+				require.NoError(t, err)
 			})
 
 			t.Run("AddProjectMembers", func(t *testing.T) {