satellite/console: prevent unauthorized project mutation

This change further restricts projects members from modifying project
details by restricting the project edit graphql mutation; making it
check if the user performing the operation is the owner of the project.

Change-Id: Iaf10d16269ddc29437d3d5629db06e20cea3004e
This commit is contained in:
Wilfred Asomani 2023-06-26 16:59:14 +00:00 committed by Storj Robot
parent bcce6023c3
commit 30d0094c43
3 changed files with 15 additions and 3 deletions

View File

@ -870,7 +870,7 @@ func TestWrongUser(t *testing.T) {
}`}))
require.Contains(t, body, "not authorized")
// TODO: wrong error code
require.Equal(t, http.StatusInternalServerError, resp.StatusCode)
require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
}
{ // get bucket usages

View File

@ -1813,12 +1813,11 @@ func (s *Service) UpdateProject(ctx context.Context, projectID uuid.UUID, update
return nil, Error.Wrap(err)
}
isMember, err := s.isProjectMember(ctx, user.ID, projectID)
_, project, err := s.isProjectOwner(ctx, user.ID, projectID)
if err != nil {
return nil, Error.Wrap(err)
}
project := isMember.project
if updatedProject.Name != project.Name {
passesNameCheck, err := s.checkProjectName(ctx, updatedProject, user.ID)
if err != nil || !passesNameCheck {

View File

@ -270,6 +270,19 @@ func TestService(t *testing.T) {
})
require.Error(t, err)
require.Nil(t, updatedProject)
user2, userCtx2 := getOwnerAndCtx(ctx, up2Proj)
_, err = service.AddProjectMembers(userCtx1, up1Proj.ID, []string{user2.Email})
require.NoError(t, err)
// Members should not be able to update project.
_, err = service.UpdateProject(userCtx2, up1Proj.ID, console.ProjectInfo{
Name: updatedName,
})
require.Error(t, err)
require.True(t, console.ErrUnauthorized.Has(err))
// remove user2.
err = service.DeleteProjectMembersAndInvitations(userCtx1, up1Proj.ID, []string{user2.Email})
require.NoError(t, err)
})
t.Run("AddProjectMembers", func(t *testing.T) {